Movable Type seems to only check the blog_id of the url for security access.

this means, that if a user has access to blog_id 4, all he has to do is change the comment_id or entry_id to any other valid id on the system in the url, and he can edit them. It won't rebuild the page, but the changes seem to stick.

Shouldn't there be a comment/entry id -> blog mapping and that mapping be checked instead of depending on blog_id.