diff --git a/java/com/google/gerrit/server/restapi/change/ListChangeComments.java b/java/com/google/gerrit/server/restapi/change/ListChangeComments.java
index ef5ce619ff..e544509abf 100644
--- a/java/com/google/gerrit/server/restapi/change/ListChangeComments.java
+++ b/java/com/google/gerrit/server/restapi/change/ListChangeComments.java
@@ -57,12 +57,10 @@ public class ListChangeComments implements RestReadView<ChangeResource> {
   @Override
   public Response<Map<String, List<CommentInfo>>> apply(ChangeResource rsrc)
       throws AuthException, PermissionBackendException {
-    /** List change comments does not require authentication */
     return Response.ok(getAsMap(listComments(rsrc), rsrc));
   }
 
   public List<CommentInfo> getComments(ChangeResource rsrc) throws PermissionBackendException {
-    /** List change comments does not require authentication */
     return getAsList(listComments(rsrc), rsrc);
   }
 
diff --git a/javatests/com/google/gerrit/acceptance/server/change/CommentsIT.java b/javatests/com/google/gerrit/acceptance/server/change/CommentsIT.java
index 566308d8a4..ecd4025b97 100644
--- a/javatests/com/google/gerrit/acceptance/server/change/CommentsIT.java
+++ b/javatests/com/google/gerrit/acceptance/server/change/CommentsIT.java
@@ -682,6 +682,15 @@ public class CommentsIT extends AbstractDaemonTest {
     assertThat(c2.line).isEqualTo(1);
   }
 
+  @Test
+  public void listChangeDraftsAnonymousThrowsAuthException() throws Exception {
+    PushOneCommit.Result r = createChange();
+    String changeId = r.getChangeId();
+
+    requestScopeOperations.setApiUserAnonymous();
+    assertThrows(AuthException.class, () -> gApi.changes().id(changeId).draftsAsList());
+  }
+
   @Test
   public void listChangeComments() throws Exception {
     PushOneCommit.Result r1 = createChange();
@@ -715,6 +724,28 @@ public class CommentsIT extends AbstractDaemonTest {
     assertThat(c2.line).isEqualTo(1);
   }
 
+  @Test
+  public void listChangeCommentsAnonymousDoesNotRequireAuth() throws Exception {
+    PushOneCommit.Result r1 = createChange();
+
+    PushOneCommit.Result r2 =
+        pushFactory
+            .create(admin.newIdent(), testRepo, SUBJECT, FILE_NAME, "new cntent", r1.getChangeId())
+            .to("refs/for/master");
+
+    addComment(r1, "nit: trailing whitespace");
+    addComment(r2, "typo: content");
+
+    List<CommentInfo> comments = gApi.changes().id(r1.getChangeId()).commentsAsList();
+    assertThat(comments.stream().map(c -> c.message).collect(toList()))
+        .containsExactly("nit: trailing whitespace", "typo: content");
+
+    requestScopeOperations.setApiUserAnonymous();
+    comments = gApi.changes().id(r1.getChangeId()).commentsAsList();
+    assertThat(comments.stream().map(c -> c.message).collect(toList()))
+        .containsExactly("nit: trailing whitespace", "typo: content");
+  }
+
   @Test
   public void listChangeWithDrafts() throws Exception {
     for (Integer line : lines) {