Presently, when accessing the ratings API, anonymous users will see "can_rate":true, which is false. Only signed in users who have purchased a paid app should be able to submit a review.
STR? I can't reproduce. 'can_rate' appears as a member of the `user` object in API responses, which should be `None` in anonymous requests.
Looks like this has changed in the past week or so; the user object is null for me now. Very odd. Will reopen if I find shenanigans.