diff --git a/lib/myapp/data/reply.ex b/lib/myapp/data/reply.ex
index 814e953..d49660a 100644
--- a/lib/myapp/data/reply.ex
+++ b/lib/myapp/data/reply.ex
@@ -1,6 +1,5 @@
 defmodule MyApp.Data.Reply do
   use Ecto.Schema
-  import Ecto.Query
   import Ecto.Changeset
   alias MyApp.Repo
   alias MyApp.Data
@@ -15,18 +14,47 @@ defmodule MyApp.Data.Reply do
     timestamps()
   end
 
-  def changeset(reply, params \\ %{}) do
+  defp insert_changeset(reply, params \\ %{}) do
     reply
-    |> cast(params, [:user_id, :thread_id, :content, :edited, :quote])
+    |> cast(params, [:user_id, :thread_id, :content, :quote])
     |> validate_required([:user_id, :thread_id, :content])
     |> foreign_key_constraint(:user_id)
     |> foreign_key_constraint(:thread_id)
   end
 
+  # allow user to update reply
+  defp user_update_changeset(reply, params \\ %{}) do
+    reply
+    |> cast(params, [:content])
+    |> force_change(:edited, true) # set edited flag on update
+    |> validate_required([:content])
+  end
+
+  @spec insert_reply(map) :: {:ok, map} | {:error, map}
   def insert_reply(params) do
-    changeset(%Data.Reply{}, params)
+    insert_changeset(%Data.Reply{}, params)
     |> Repo.insert
     |> Data.Util.process_insert_or_update
   end
 
+  @spec user_update_reply(map) :: {:ok, map} | {:error, map}
+  def user_update_reply(params) do
+    id = Map.get(params, "id")
+    user_id = Map.get(params, "user_id")
+
+    if is_nil(id) || is_nil(user_id) do
+      {:error, "Invalid reply"}
+    else
+      Repo.get_by(Data.Reply, %{id: id, user_id: user_id})
+      |> process_user_update(params)
+    end
+  end
+
+  defp process_user_update(reply, _params) when is_nil(reply), do: {:error, "Invalid reply"}
+  defp process_user_update(reply, params) when not is_nil(reply) do
+    user_update_changeset(reply, params)
+    |> Repo.update
+    |> Data.Util.process_insert_or_update
+  end
+
 end
diff --git a/lib/myapp/data/thread.ex b/lib/myapp/data/thread.ex
index 69d7d67..de35d25 100644
--- a/lib/myapp/data/thread.ex
+++ b/lib/myapp/data/thread.ex
@@ -18,7 +18,7 @@ defmodule MyApp.Data.Thread do
     timestamps()
   end
 
-  def insert_changeset(thread, params \\ %{}) do
+  defp insert_changeset(thread, params \\ %{}) do
     thread
     |> cast(params, [:title, :category_id, :content, :user_id])
     |> validate_required([:title, :category_id, :content, :user_id])
@@ -26,13 +26,18 @@ defmodule MyApp.Data.Thread do
     |> foreign_key_constraint(:user_id)
   end
 
-  def update_changeset(thread, params \\ %{}) do
+  # TODO: allow mods to set sticky/locked on threads
+  defp mod_update_changeset(thread, params \\ %{}) do
     thread
-    |> cast(params, [:content, :user_id, :sticky, :locked])
+    |> cast(params, [:sticky, :locked])
+  end
+
+  # allow user to update content of their own thread
+  defp user_update_changeset(thread, params \\ %{}) do
+    thread
+    |> cast(params, [:content])
     |> force_change(:edited, true) # set edited flag on update
-    |> validate_required([:content, :user_id])
-    |> foreign_key_constraint(:category_id)
-    |> foreign_key_constraint(:user_id)
+    |> validate_required([:content])
   end
 
   def insert_thread(params) do
@@ -41,22 +46,24 @@ defmodule MyApp.Data.Thread do
     |> Data.Util.process_insert_or_update
   end
 
-  def update_thread(params) do
+  @spec user_update_thread(map) :: {:ok, map} | {:error, map}
+  def user_update_thread(params) do
     id = Map.get(params, "id")
-    if id == nil do
+    user_id = Map.get(params, "user_id")
+
+    if is_nil(id) || is_nil(user_id) do
       {:error, "Invalid thread"}
     else
-      Repo.get(Data.Thread, id)
-      |> process_update(params)
+      Repo.get_by(Data.Thread, %{id: id, user_id: user_id})
+      |> process_user_update(params)
     end
   end
 
   # TODO: delete thread
 
-  # TODO: check user permissions for sticky/locked
-  defp process_update(thread, _params) when is_nil(thread), do: {:error, "Invalid thread"}
-  defp process_update(thread, params) when not is_nil(thread) do
-    update_changeset(thread, params)
+  defp process_user_update(thread, _params) when is_nil(thread), do: {:error, "Invalid thread"}
+  defp process_user_update(thread, params) when not is_nil(thread) do
+    user_update_changeset(thread, params)
     |> Repo.update
     |> Data.Util.process_insert_or_update
   end
diff --git a/lib/myapp/data/user.ex b/lib/myapp/data/user.ex
index be3b4bf..6fcd483 100644
--- a/lib/myapp/data/user.ex
+++ b/lib/myapp/data/user.ex
@@ -10,7 +10,6 @@ defmodule MyApp.Data.User do
     field :battle_net_id, :integer
     field :battletag, :string
     field :permissions, :string, default: "user" # admin, mod, user
-
     timestamps()
   end
 
diff --git a/lib/myapp/data/util.ex b/lib/myapp/data/util.ex
index 5d64d08..27d5279 100644
--- a/lib/myapp/data/util.ex
+++ b/lib/myapp/data/util.ex
@@ -1,11 +1,13 @@
 defmodule MyApp.Data.Util do
 
+  @spec map_changeset(map) :: map
   def map_changeset(changeset) do
     Enum.map(changeset.errors, fn {key, val} ->
       %{key => elem(val, 0)}
     end)
   end
 
+  @spec process_insert_or_update({atom, map}) :: {:ok, map} | {:error, map}
   def process_insert_or_update({:error, changeset}), do: {:error, map_changeset(changeset)}
   def process_insert_or_update({:ok, data}), do: {:ok, data}
 
diff --git a/lib/myapp_web/controllers/reply_controller.ex b/lib/myapp_web/controllers/reply_controller.ex
index c6b74fe..d0fd1d6 100644
--- a/lib/myapp_web/controllers/reply_controller.ex
+++ b/lib/myapp_web/controllers/reply_controller.ex
@@ -18,5 +18,21 @@ defmodule MyAppWeb.ReplyController do
     |> put_status(status)
     |> Response.json(output)
   end
+
+  @spec update(map, map) :: any
+  def update(conn, params) do
+    user_id = conn
+    |> MyApp.Guardian.Plug.current_claims
+    |> Map.get("id")
+
+    {output, status} = params
+      |> Map.put("user_id",  user_id)
+      |> Data.Reply.user_update_reply
+      |> Response.put_resp
+
+    conn
+    |> put_status(status)
+    |> Response.json(output)
+  end
   
 end
diff --git a/lib/myapp_web/controllers/thread_controller.ex b/lib/myapp_web/controllers/thread_controller.ex
index ab11f40..ed6260b 100644
--- a/lib/myapp_web/controllers/thread_controller.ex
+++ b/lib/myapp_web/controllers/thread_controller.ex
@@ -27,7 +27,7 @@ defmodule MyAppWeb.ThreadController do
 
     {output, status} = params
       |> Map.put("user_id",  user_id)
-      |> Data.Thread.update_thread
+      |> Data.Thread.user_update_thread
       |> Response.put_resp
 
     conn
diff --git a/lib/myapp_web/router.ex b/lib/myapp_web/router.ex
index 7591be9..510ba1f 100644
--- a/lib/myapp_web/router.ex
+++ b/lib/myapp_web/router.ex
@@ -46,6 +46,7 @@ defmodule MyAppWeb.Router do
       # authenticated routes
       pipe_through [:user_auth]
       post "/", ReplyController, :insert
+      put "/", ReplyController, :update
     end
 
     scope "/category" do