There is one oddity in how this all works.  Let's say that a user who doesn't have authority to post a message tries to.  The message would appear in the blog on their screen, but it wouldn't show up anywhere else and the moment the user reloads the page it would disappear.  This is because the screen display is controlled by local javascript but updating the database requires an additional server level authentication check as controlled by the localAuthority.php file.  If the user isn't accepted at the server, nothing is entered into the database and the reload, which causes the data to be downloaded again, won't find it. 

The solution to this would be to either download the blog again after every update - a time wasting operation most of the time - or to remove the entry from the screen based on a reported failure to add to database. Given the asynchronous way the database is updated, this would involve some clever programming. Since aBlog2 should never show a person links to do things they don't have authority to do, the only way this situation should occur would be if somebody altered the javascript at run time.  Since they shouldn't do that, we're not worried about making their life easy.