From 632cbb151790dc4e4cdc677d97f3db2eee71c7b0 Mon Sep 17 00:00:00 2001
From: Ray Carrick <ray.carrick@ed.ac.uk>
Date: Thu, 9 Dec 2021 13:06:12 +0000
Subject: [PATCH] use current user rather than form user id which can be
 spoofed

---
 app/controllers/notes_controller.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index a623a64fce..cfb49d8f7a 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -11,7 +11,8 @@ class NotesController < ApplicationController
   # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
   def create
     @note = Note.new
-    @note.user_id = note_params[:user_id]
+    # take user id from current user rather than form as form can be spoofed
+    @note.user_id = current_user.id
     # ensure user has access to plan BEFORE creating/finding answer
     unless Plan.find_by(id: note_params[:plan_id]).readable_by?(@note.user_id)
       raise Pundit::NotAuthorizedError