diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index a623a64fce..cfb49d8f7a 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -11,7 +11,8 @@ class NotesController < ApplicationController
   # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
   def create
     @note = Note.new
-    @note.user_id = note_params[:user_id]
+    # take user id from current user rather than form as form can be spoofed
+    @note.user_id = current_user.id
     # ensure user has access to plan BEFORE creating/finding answer
     unless Plan.find_by(id: note_params[:plan_id]).readable_by?(@note.user_id)
       raise Pundit::NotAuthorizedError