Check for permissions before sending out notifications about mentions

Users, who have activated notifications and who are being mentioned anywhere on the community, are getting an email notification. So far, so expected.

But: The system doesn't check if the user has permission to access the category the mention took place.

So when users get mentioned in a category they don't have access to (because they don't have the needed role), they still get a notification. They open the notification like always, click on the link and expect to read the content / context they have been mentioned in. But instead they get to an error page (403) instead.

In our opinion this is a bad user experience. And we've already seen on our community, that it can lead to a bad atmosphere. Because users might think that other users talk about them behind their backs and they have no idea what it is about.

Our use case:
We have created a restricted category where only power users and moderators have access. In this category our power users can support our moderators by alerting them of rule breaking in the public categories or when a user questions needs an immediate moderator's attention.
Usually our power users add the username via mention, the link to the public content and a short description, so that moderators can easily work with that information.
But like described above: The users who are mentioned get a notification but they don't have access to that restricted category. So they don't understand why they can't see it and why they are mentioned. This leads to frustration.

That's why we propose that a check is implemented. Before a notification gets sent, there should be a check if the recipient can even access the content.