From f2450eaf60246b4b9472062ed327527ffae35b7a Mon Sep 17 00:00:00 2001
From: khushi8112 <khushirawat23@navgurukul.org>
Date: Fri, 10 Apr 2026 12:53:45 +0530
Subject: [PATCH] fix: add permission validation when prompting company details
 for incomplete letterhead data

(cherry picked from commit 256a258b3802526ecdbc0b857fe2d0b350a4af60)
---
 erpnext/controllers/accounts_controller.py | 28 ++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/erpnext/controllers/accounts_controller.py b/erpnext/controllers/accounts_controller.py
index 17d5d929bb5..8cb426edb6d 100644
--- a/erpnext/controllers/accounts_controller.py
+++ b/erpnext/controllers/accounts_controller.py
@@ -4357,6 +4357,15 @@ def get_missing_company_details(doctype, docname):
 
 	address_display_list = get_address_display_list("Company", company)
 	address_line = address_display_list[0].get("address_line1") if address_display_list else ""
+	needs_new_company_address = not address_line
+
+	if needs_new_company_address and not frappe.has_permission("Address", "create", throw=False):
+		frappe.msgprint(
+			_(
+				"Company Address is missing. You don't have permission to create an Address. Please contact your System Manager."
+			)
+		)
+		return
 
 	required_fields.append(company_address)
 	required_fields.append(address_line)
@@ -4379,6 +4388,18 @@ def get_missing_company_details(doctype, docname):
 def update_company_master_and_address(current_doctype, name, company, details):
 	from frappe.utils import validate_email_address
 
+	if not frappe.has_permission(current_doctype, "write", doc=name, throw=False):
+		frappe.throw(
+			_("You don't have permission to update this document. Please contact your System Manager."),
+			title=_("Insufficient Permissions"),
+		)
+
+	if not frappe.has_permission("Company", "write", doc=company, throw=False):
+		frappe.throw(
+			_("You don't have permission to update Company details. Please contact your System Manager."),
+			title=_("Insufficient Permissions"),
+		)
+
 	if isinstance(details, str):
 		details = frappe.parse_json(details)
 
@@ -4393,6 +4414,13 @@ def update_company_master_and_address(current_doctype, name, company, details):
 
 	company_address = details.get("company_address")
 	if details.get("address_line1"):
+		if not frappe.has_permission("Address", "create", throw=False):
+			frappe.throw(
+				_(
+					"You don't have permission to create a Company Address. Please contact your System Manager."
+				),
+				title=_("Insufficient Permissions"),
+			)
 		address_doc = frappe.get_doc(
 			{
 				"doctype": "Address",