From befd7f313c3dfbd4e4a509ab03bd61c055ab3be9 Mon Sep 17 00:00:00 2001 From: AarDG10 Date: Tue, 28 Apr 2026 11:18:06 +0530 Subject: [PATCH 1/2] fix(discussion_topic): add perm. check to submit_discussion method Users should not be able to edit someone else's replies. Forbidding it w/ this check. --- frappe/website/doctype/discussion_topic/discussion_topic.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/frappe/website/doctype/discussion_topic/discussion_topic.py b/frappe/website/doctype/discussion_topic/discussion_topic.py index e877beaa64..27520dd83d 100644 --- a/frappe/website/doctype/discussion_topic/discussion_topic.py +++ b/frappe/website/doctype/discussion_topic/discussion_topic.py @@ -33,6 +33,8 @@ def submit_discussion( ): if reply_name: doc = frappe.get_doc("Discussion Reply", reply_name) + if doc.owner != frappe.session.user: + frappe.throw(frappe._("You can only edit your own replies."), frappe.PermissionError) doc.reply = reply doc.save(ignore_permissions=True) return From a9d98723b42610dd8638ef39d9ce623047231125 Mon Sep 17 00:00:00 2001 From: AarDG10 Date: Tue, 28 Apr 2026 12:08:09 +0530 Subject: [PATCH 2/2] test: add test to check if reply is restricted to owner --- .../discussion_topic/test_discussion_topic.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/frappe/website/doctype/discussion_topic/test_discussion_topic.py b/frappe/website/doctype/discussion_topic/test_discussion_topic.py index d6c005e85f..2b1d3a6991 100644 --- a/frappe/website/doctype/discussion_topic/test_discussion_topic.py +++ b/frappe/website/doctype/discussion_topic/test_discussion_topic.py @@ -1,9 +1,23 @@ # Copyright (c) 2021, FOSS United and Contributors # See license.txt -# import frappe +import frappe from frappe.tests import IntegrationTestCase +from frappe.website.doctype.discussion_topic.discussion_topic import submit_discussion class TestDiscussionTopic(IntegrationTestCase): - pass + def test_edit_discussion_reply(self): + """Test whether editing a reply is restricted to the owner.""" + topic_name = submit_discussion("User", "Administrator", "Original", "Title") + reply_name = frappe.db.get_value("Discussion Reply", {"topic": topic_name}, "name") + + frappe.set_user("Guest") + with self.assertRaises(frappe.PermissionError): + submit_discussion("User", "Administrator", "Hacked", "Title", reply_name=reply_name) + + self.assertEqual(frappe.db.get_value("Discussion Reply", reply_name, "reply"), "Original") + + frappe.set_user("Administrator") + submit_discussion("User", "Administrator", "Changed!", "Title", reply_name=reply_name) + self.assertEqual(frappe.db.get_value("Discussion Reply", reply_name, "reply"), "Changed!")