fix: add permission checks in whitelisted functions (#53103)

erpnext/accounts/doctype/bank_reconciliation_tool/bank_reconciliation_tool.py

@@ -59,7 +59,7 @@ def get_bank_transactions(
 		filters.append(["date", "<=", to_date])
 	if from_date:
 		filters.append(["date", ">=", from_date])
-	transactions = frappe.get_all(
+	transactions = frappe.get_list(
 		"Bank Transaction",
 		fields=[
 			"date",
@@ -84,6 +84,7 @@ def get_bank_transactions(
 @frappe.whitelist()
 def get_account_balance(bank_account: str, till_date: str | date, company: str):
 	# returns account balance till the specified date
+	frappe.has_permission("Bank Account", "read", bank_account, throw=True)
 	account = frappe.db.get_value("Bank Account", bank_account, "account")
 	filters = frappe._dict(
 		{

erpnext/accounts/doctype/payment_request/payment_request.py

@@ -955,6 +955,7 @@ def resend_payment_email(docname: str):
 @frappe.whitelist()
 def make_payment_entry(docname: str):
 	doc = frappe.get_doc("Payment Request", docname)
+	doc.check_permission("read")
 	return doc.create_payment_entry(submit=False).as_dict()
 
 

erpnext/accounts/doctype/process_statement_of_accounts/process_statement_of_accounts.py

@@ -465,6 +465,8 @@ def get_customer_emails(customer_name: str, primary_mandatory: str | int, billin
 	when Is Billing Contact checked
 	and Primary email- email with Is Primary checked"""
 
+	frappe.has_permission("Customer", "read", customer_name, throw=True)
+
 	billing_email = frappe.db.sql(
 		"""
 		SELECT
@@ -508,6 +510,7 @@ def get_customer_emails(customer_name: str, primary_mandatory: str | int, billin
 @frappe.whitelist()
 def download_statements(document_name: str):
 	doc = frappe.get_doc("Process Statement Of Accounts", document_name)
+	doc.check_permission("read")
 	report = get_report_pdf(doc)
 	if report:
 		frappe.local.response.filename = doc.name + ".pdf"

erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.js

@@ -28,6 +28,7 @@ frappe.query_reports["Stock Qty vs Batch Qty"] = {
 		},
 	],
 	onload: function (report) {
+		if (frappe.model.can_write("Batch")) {
 			report.page.add_inner_button(__("Update Batch Qty"), function () {
 				let indexes = frappe.query_report.datatable.rowmanager.getCheckedRows();
 				let selected_rows = indexes
@@ -50,6 +51,7 @@ frappe.query_reports["Stock Qty vs Batch Qty"] = {
 					frappe.msgprint(__("Please select at least one row with difference value"));
 				}
 			});
+		}
 	},
 
 	formatter: function (value, row, column, data, default_formatter) {

erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.py

@@ -101,6 +101,7 @@ def get_data(filters=None):
 
 @frappe.whitelist()
 def update_batch_qty(selected_batches: str | None = None):
+	frappe.has_permission("Batch", "write", throw=True, ignore_share_permissions=True)
 	if not selected_batches:
 		return