Permission handling for public ex-remit setup #81
Description
As mentioned in #80, we've set up ex-remit for the use in the open source project XWiki. We don't really care about keeping ex-remit private - in fact, we would want that contributors can see comments that we left for them, and they should be able to mark comments for them as resolved so they can easily find unresolved ones. On the other hand, it might not be desirable that any GitHub user can log in and mark a commit as reviewed (or change settings in ex-remit). I've seen that in 0cf55e1 a feature to limit review access has been added. If we used that (not sure how to configure that), would you consider it safe to publish the auth key or is this against the security concept of ex-remit? If this currently isn't advised, what would need to be changed to support a public ex-remit instance?