Merge pull request #38952 from AarDG10/fix-disc-topic

fix(discussion_topic): add perm. check to submit_discussion method

frappe/website/doctype/discussion_topic/discussion_topic.py

@@ -33,6 +33,8 @@ def submit_discussion(
 ):
 	if reply_name:
 		doc = frappe.get_doc("Discussion Reply", reply_name)
+		if doc.owner != frappe.session.user:
+			frappe.throw(frappe._("You can only edit your own replies."), frappe.PermissionError)
 		doc.reply = reply
 		doc.save(ignore_permissions=True)
 		return

frappe/website/doctype/discussion_topic/test_discussion_topic.py

@@ -1,9 +1,23 @@
 # Copyright (c) 2021, FOSS United and Contributors
 # See license.txt
 
-# import frappe
+import frappe
 from frappe.tests import IntegrationTestCase
+from frappe.website.doctype.discussion_topic.discussion_topic import submit_discussion
 
 
 class TestDiscussionTopic(IntegrationTestCase):
-	pass
+	def test_edit_discussion_reply(self):
+		"""Test whether editing a reply is restricted to the owner."""
+		topic_name = submit_discussion("User", "Administrator", "Original", "Title")
+		reply_name = frappe.db.get_value("Discussion Reply", {"topic": topic_name}, "name")
+
+		frappe.set_user("Guest")
+		with self.assertRaises(frappe.PermissionError):
+			submit_discussion("User", "Administrator", "Hacked", "Title", reply_name=reply_name)
+
+		self.assertEqual(frappe.db.get_value("Discussion Reply", reply_name, "reply"), "Original")
+
+		frappe.set_user("Administrator")
+		submit_discussion("User", "Administrator", "Changed!", "Title", reply_name=reply_name)
+		self.assertEqual(frappe.db.get_value("Discussion Reply", reply_name, "reply"), "Changed!")