Toomas has the right answer, but to expand on it, he means that the user needs to have permission on the process itself for 'Can Edit'. You can see the process permission in the Process Permission webpart on the right hand side of the process view page.
The process permissions are typically assigned view process automation in the admin section. Usually this happens in the 'OnIncidentReceived' or 'OnIncidentAssigned' type rulesets (substitute change for incident if you are looking at change tickets instead of incidents). In most cases you won't be assigning permissions to an individual but to a group instead.
So to answer the question, is the user who can't add a comment part of a group that has 'Can Edit' permission? Did a group not get this permission assigned view automation rules?