I tested this in two browsers, logged into one as an Administrator (Ethan) and another as a normal user (Fako).  When Ethan gave Fako admin permissions, Fako reloaded his page was immediately able to see restricted comment.  Then Ethan took his admin permissions away and the restricted content was immediately gone.

I also tried to reproduce the problem in automated tests but was unable to.

It's possible that some recent upgrades that have cleaned up cache clearing (particularly those moving actions to the new events api) have fixed some loophole by which some card's cache was not previously cleared.

The following are technical notes on role caching / clearing for future reference:

• roles are cached on cards with accounts in the @parties instance variable
• that variable is populated on the local cache but not the system cache
• since all requests clear the local cache (via Wagn::Cache.renew), the @parties variable should not be populated in cards retrieved from the systems cache
• the "current account card" is stored in a class variable (@@current) on the Account class.  Every requests sets Account.current_id, and that setting clears many class variables including @@current.
• So, ultimately @parties should be fully refreshed with each request in principle.