In most cases, end users need to share a published app for doing comments on. This will require a few Security Rules to create a new Role - Commenting Role. When assigned with Commenting Role, users will be able to do comments directly in published apps.
Just setup the below rules in Qlik Management Console and you are good to go.
CommentingRole – AppResource Filter: App_*Actions: UpdateCondition: ((user.roles="CommentingRole") and resource.stream.HasPrivilege("read"))
End user needs an ‘UPDATE’ permission on the app that needs to be commented (modified) via extension.
CommentingRole – AppObjectResource Filter: App.Object_*Actions: ReadCondition: ((user.roles="CommentingRole"))
End user needs a security rule in appObject with ‘READ’ permission to load script, in order to trigger partial reload (Qlik Sense by default blocks script access in published apps).
CommentingRole - DataConnectionResource Filter: DataConnection_*Actions: ReadCondition: ((user.roles="CommentingRole”))
End user also requires all data connection with ‘READ’ permission that appears in the load script (all data connections used in current app, no matter it will be executed or not when doing partial reload - unfortunately it is how Qlik works).