This is effectively a replay attack. Join a channel you can comment in, place a comment and capture that POST request. Switch to a channel you cannot comment in (but can join) and send that captured POST request. Its interesting that permissions were (apparently) not being checked at the time of sending on the server, also that since no modification of that captured request was necessary Mattermost must be tracking state like which channel is being viewed on the server side rather than including it with the request which makes me suspicious that there would be other state-tracking issues in the application for future bug hunters to find.