From 7ebed912cfaaacef61e1dccf6bd779775dedfcc0 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 19 Mar 2026 15:28:01 +0000
Subject: [PATCH] fix: validate permission before updating status (backport
 #53651) (#53653)

* fix: validate permission before updating status (#53651)

(cherry picked from commit 8e17c722fbb2c685d215d7daf309eb856282050c)

# Conflicts:
#	erpnext/buying/doctype/purchase_order/purchase_order.py
#	erpnext/selling/doctype/sales_order/sales_order.py
#	erpnext/stock/doctype/purchase_receipt/purchase_receipt.py

* chore: resolve conflicts

---------

Co-authored-by: diptanilsaha <diptanil@frappe.io>
---
 erpnext/buying/doctype/purchase_order/purchase_order.py    | 2 +-
 erpnext/selling/doctype/sales_order/sales_order.py         | 2 +-
 erpnext/stock/doctype/purchase_receipt/purchase_receipt.py | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/erpnext/buying/doctype/purchase_order/purchase_order.py b/erpnext/buying/doctype/purchase_order/purchase_order.py
index aaace54db63..22e731a336c 100644
--- a/erpnext/buying/doctype/purchase_order/purchase_order.py
+++ b/erpnext/buying/doctype/purchase_order/purchase_order.py
@@ -889,7 +889,7 @@ def get_list_context(context=None):
 
 @frappe.whitelist()
 def update_status(status, name):
-	po = frappe.get_lazy_doc("Purchase Order", name)
+	po = frappe.get_lazy_doc("Purchase Order", name, check_permission="write")
 	po.update_status(status)
 	po.update_delivered_qty_in_sales_order()
 
diff --git a/erpnext/selling/doctype/sales_order/sales_order.py b/erpnext/selling/doctype/sales_order/sales_order.py
index 7918dced389..35ff3c054fd 100755
--- a/erpnext/selling/doctype/sales_order/sales_order.py
+++ b/erpnext/selling/doctype/sales_order/sales_order.py
@@ -1803,7 +1803,7 @@ def make_work_orders(items, sales_order, company, project=None):
 
 @frappe.whitelist()
 def update_status(status, name):
-	so = frappe.get_doc("Sales Order", name)
+	so = frappe.get_doc("Sales Order", name, check_permission="write")
 	so.update_status(status)
 
 
diff --git a/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py b/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
index 45353633a15..185a06b4ea6 100644
--- a/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
+++ b/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
@@ -1577,7 +1577,7 @@ def make_purchase_return(source_name, target_doc=None):
 
 @frappe.whitelist()
 def update_purchase_receipt_status(docname, status):
-	pr = frappe.get_lazy_doc("Purchase Receipt", docname)
+	pr = frappe.get_lazy_doc("Purchase Receipt", docname, check_permission="write")
 	pr.update_status(status)