From e4b861d76f2da302136cd2b10c26fcf2f213b974 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Thu, 29 Jan 2026 13:29:30 -0800
Subject: [PATCH] Fix: prevent note deletion outside doc

---
 src/documents/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/documents/views.py b/src/documents/views.py
index a91ad8594..f6bec1f0d 100644
--- a/src/documents/views.py
+++ b/src/documents/views.py
@@ -1099,7 +1099,7 @@ class DocumentViewSet(
             ):
                 return HttpResponseForbidden("Insufficient permissions to delete notes")
 
-            note = Note.objects.get(id=int(request.GET.get("id")))
+            note = Note.objects.get(id=int(request.GET.get("id")), document=doc)
             if settings.AUDIT_LOG_ENABLED:
                 LogEntry.objects.log_create(
                     instance=doc,