If people can comment/update without being logged in, then you definitely have allowed "anyone" access in the permission scheme. Are you sure you are looking at the right scheme for that project?
Also, the other place people can do this is in the workflow. If you have transitions in your workflow, then by default, ANYONE can use them. Until you explicitly add conditions to them to stop them doing it. I tend to just stick "must be role of user" into every transition to begin with.
It's very common for people to miss this - I didn't realise for the first six or seven workflows I constructed!
![Nic Brough [Adaptavist]](https://avatar-cdn.atlassian.com/053c857b7b2c424c1d3c24a86cb95aa9 "Nic Brough [Adaptavist]"){kind=avatar}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.