From 400b09923a5b6f53a67e1cb2564f83ecc3c78e19 Mon Sep 17 00:00:00 2001
From: ruthra kumar <ruthra@erpnext.com>
Date: Mon, 16 Feb 2026 13:19:10 +0530
Subject: [PATCH] fix: better permissions on make payment request

(cherry picked from commit f36962fc5842361872caccc13ec56567a5c1e203)

# Conflicts:
#	erpnext/accounts/doctype/payment_request/payment_request.py
---
 .../doctype/payment_request/payment_request.py         | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/erpnext/accounts/doctype/payment_request/payment_request.py b/erpnext/accounts/doctype/payment_request/payment_request.py
index 1012ff56ebf..d7f4507e543 100644
--- a/erpnext/accounts/doctype/payment_request/payment_request.py
+++ b/erpnext/accounts/doctype/payment_request/payment_request.py
@@ -493,7 +493,13 @@ def make_payment_request(**args):
 
 	args = frappe._dict(args)
 
-	ref_doc = frappe.get_doc(args.dt, args.dn)
+	if args.dn and not isinstance(args.dn, str):
+		frappe.throw(_("Invalid parameter. 'dn' should be of type str"))
+
+	frappe.has_permission("Payment Request", "create", throw=True)
+	frappe.has_permission(args.dt, "read", args.dn, throw=True)
+
+	ref_doc = args.ref_doc or frappe.get_doc(args.dt, args.dn)
 	gateway_account = get_gateway_details(args) or frappe._dict()
 
 	grand_total = get_amount(ref_doc, gateway_account.get("payment_account"))
@@ -680,7 +686,7 @@ def get_print_format_list(ref_doctype):
 	return {"print_format": print_format_list}
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist()
 def resend_payment_email(docname):
 	return frappe.get_doc("Payment Request", docname).send_email()