fix: pemission for whitelist functions

erpnext/accounts/doctype/bank_clearance/bank_clearance.py

@@ -91,6 +91,7 @@ class BankClearance(Document):
 
 	@frappe.whitelist()
 	def update_clearance_date(self):
+		self.check_permission("write")
 		invalid_document = []
 		invalid_cheque_date = []
 		entries_to_update = []

erpnext/accounts/doctype/repost_accounting_ledger/repost_accounting_ledger.py

@@ -154,12 +154,13 @@ class RepostAccountingLedger(Document):
 
 
 @frappe.whitelist()
-def start_repost(account_repost_doc=str) -> None:
+def start_repost(account_repost_doc: str | None = None) -> None:
 	from erpnext.accounts.general_ledger import make_reverse_gl_entries
 
 	frappe.flags.through_repost_accounting_ledger = True
 	if account_repost_doc:
 		repost_doc = frappe.get_doc("Repost Accounting Ledger", account_repost_doc)
+		repost_doc.check_permission("write")
 
 		if repost_doc.docstatus == 1:
 			# Prevent repost on invoices with deferred accounting

erpnext/accounts/party.py

@@ -508,7 +508,8 @@ def get_party_advance_account(party_type, party, company):
 
 
 @frappe.whitelist()
-def get_party_bank_account(party_type, party):
+def get_party_bank_account(party_type: str, party: str):
+	frappe.has_permission("Bank Account", "read", throw=True)
 	return frappe.db.get_value("Bank Account", {"party_type": party_type, "party": party, "is_default": 1})
 
 

erpnext/crm/doctype/lead/lead.py

@@ -481,7 +481,7 @@ def get_lead_details(lead, posting_date=None, company=None, doctype=None):
 
 
 @frappe.whitelist()
-def make_lead_from_communication(communication, ignore_communication_links=False):
+def make_lead_from_communication(communication: str, ignore_communication_links: bool = False):
 	"""raise a issue from email"""
 
 	doc = frappe.get_doc("Communication", communication)
@@ -500,7 +500,6 @@ def make_lead_from_communication(communication, ignore_communication_links=False
 			}
 		)
 		lead.flags.ignore_mandatory = True
-		lead.flags.ignore_permissions = True
 		lead.insert()
 
 		lead_name = lead.name

erpnext/crm/doctype/opportunity/opportunity.py

@@ -524,7 +524,9 @@ def auto_close_opportunity():
 
 
 @frappe.whitelist()
-def make_opportunity_from_communication(communication, company, ignore_communication_links=False):
+def make_opportunity_from_communication(
+	communication: str, company: str, ignore_communication_links: bool = False
+):
 	from erpnext.crm.doctype.lead.lead import make_lead_from_communication
 
 	doc = frappe.get_doc("Communication", communication)
@@ -542,7 +544,7 @@ def make_opportunity_from_communication(communication, company, ignore_communica
 			"opportunity_from": opportunity_from,
 			"party_name": lead,
 		}
-	).insert(ignore_permissions=True)
+	).insert()
 
 	link_communication_to_document(doc, "Opportunity", opportunity.name, ignore_communication_links)
 

erpnext/manufacturing/doctype/bom_creator/bom_creator.py

@@ -388,8 +388,6 @@ class BOMCreator(Document):
 
 	@frappe.whitelist()
 	def edit_bom_creator(self, docname: str, data: str | dict):
-		frappe.has_permission("BOM Creator", "write", doc=self, throw=True)
-
 		if not frappe.db.exists("BOM Creator Item", {"parent": self.name, "name": docname}):
 			frappe.throw(_("BOM Creator Item with name {0} does not exist").format(docname))
 
@@ -426,8 +424,6 @@ class BOMCreator(Document):
 
 	@frappe.whitelist()
 	def add_item(self, **kwargs):
-		frappe.has_permission("BOM Creator", "write", doc=self, throw=True)
-
 		if isinstance(kwargs, str):
 			kwargs = frappe.parse_json(kwargs)
 
@@ -458,8 +454,6 @@ class BOMCreator(Document):
 
 	@frappe.whitelist()
 	def add_sub_assembly(self, **kwargs):
-		frappe.has_permission("BOM Creator", "write", doc=self, throw=True)
-
 		if isinstance(kwargs, str):
 			kwargs = frappe.parse_json(kwargs)
 
@@ -499,7 +493,7 @@ class BOMCreator(Document):
 		else:
 			if sbool(kwargs.phantom):
 				parent_row = next(item for item in self.items if item.name == kwargs.fg_reference_id)
-				parent_row.db_set("is_phantom_item", 1)
+				parent_row.is_phantom_item = 1
 			parent_row_no = get_parent_row_no(self, kwargs.fg_reference_id)
 
 		for row in bom_item.get("items"):
@@ -528,8 +522,6 @@ class BOMCreator(Document):
 
 	@frappe.whitelist()
 	def delete_node(self, **kwargs):
-		frappe.has_permission("BOM Creator", "write", doc=self, throw=True)
-
 		if isinstance(kwargs, str):
 			kwargs = frappe.parse_json(kwargs)
 

erpnext/manufacturing/doctype/workstation/workstation.py

@@ -219,7 +219,7 @@ class Workstation(Document):
 		doc.check_permission("write")
 
 		doc.append("time_logs", {"from_time": from_time, "employee": employee})
-		doc.save(ignore_permissions=True)
+		doc.save()
 
 		return doc
 
@@ -234,7 +234,7 @@ class Workstation(Document):
 				row.time_in_mins = time_diff_in_hours(row.to_time, row.from_time) / 60
 				row.completed_qty = qty
 
-		doc.save(ignore_permissions=True)
+		doc.save()
 		doc.submit()
 
 		return doc

erpnext/setup/doctype/transaction_deletion_record/transaction_deletion_record.py

@@ -640,6 +640,8 @@ class TransactionDeletionRecord(Document):
 
 	@frappe.whitelist()
 	def start_deletion_tasks(self):
+		self.check_permission("write")
+
 		# This method is the entry point for the chain of events that follow
 		self.db_set("status", "Running")
 		self._set_deletion_cache()

erpnext/stock/doctype/delivery_trip/delivery_trip.py

@@ -367,7 +367,9 @@ def get_default_address(out, name):
 
 
 @frappe.whitelist()
-def get_contact_display(contact):
+def get_contact_display(contact: str):
+	frappe.has_permission("Contact", "read", doc=contact, throw=True)
+
 	contact_info = frappe.db.get_value(
 		"Contact", contact, ["first_name", "last_name", "phone", "mobile_no"], as_dict=1
 	)
@@ -469,7 +471,9 @@ def get_attachments(delivery_stop):
 
 
 @frappe.whitelist()
-def get_driver_email(driver):
+def get_driver_email(driver: str):
+	frappe.has_permission("Driver", "read", doc=driver, throw=True)
+
 	employee = frappe.db.get_value("Driver", driver, "employee")
 	email = frappe.db.get_value("Employee", employee, "prefered_email")
 	return {"email": email}

erpnext/stock/doctype/shipment/shipment.py

@@ -126,7 +126,9 @@ def get_contact_name(ref_doctype, docname):
 
 
 @frappe.whitelist()
-def get_company_contact(user):
+def get_company_contact(user: str):
+	frappe.has_permission("User", "read", throw=True)
+
 	contact = frappe.db.get_value(
 		"User",
 		user,

erpnext/stock/report/incorrect_serial_and_batch_bundle/incorrect_serial_and_batch_bundle.py

@@ -134,12 +134,15 @@ def get_linked_cancelled_sabb(filters):
 
 
 @frappe.whitelist()
-def fix_sabb_entries(selected_rows):
+def fix_sabb_entries(selected_rows: str | list):
+	frappe.has_permission("Serial and Batch Bundle", "write", throw=True)
+
 	if isinstance(selected_rows, str):
 		selected_rows = frappe.parse_json(selected_rows)
 
 	for row in selected_rows:
 		doc = frappe.get_doc("Serial and Batch Bundle", row.get("name"))
+		doc.check_permission("write")
 		if doc.is_cancelled == 0 and not frappe.db.get_value(
 			"Stock Ledger Entry",
 			{"serial_and_batch_bundle": doc.name, "is_cancelled": 0},

erpnext/subcontracting/doctype/subcontracting_inward_order/subcontracting_inward_order.py

@@ -3,6 +3,7 @@
 
 import frappe
 from frappe import _
+from frappe.model.document import Document
 from frappe.model.mapper import get_mapped_doc
 from frappe.utils import comma_and, flt, get_link_to_form
 
@@ -550,8 +551,9 @@ class SubcontractingInwardOrder(SubcontractingController):
 
 
 @frappe.whitelist()
-def update_subcontracting_inward_order_status(scio, status=None):
+def update_subcontracting_inward_order_status(scio: str | Document, status: str | None = None):
 	if isinstance(scio, str):
 		scio = frappe.get_doc("Subcontracting Inward Order", scio)
 
+	scio.check_permission("write")
 	scio.update_status(status)

erpnext/subcontracting/doctype/subcontracting_order/subcontracting_order.py

@@ -3,6 +3,7 @@
 
 import frappe
 from frappe import _
+from frappe.model.document import Document
 from frappe.model.mapper import get_mapped_doc
 from frappe.utils import flt
 
@@ -483,8 +484,9 @@ def get_mapped_subcontracting_receipt(source_name, target_doc=None, items=None):
 
 
 @frappe.whitelist()
-def update_subcontracting_order_status(sco, status=None):
+def update_subcontracting_order_status(sco: str | Document, status: str | None = None):
 	if isinstance(sco, str):
 		sco = frappe.get_doc("Subcontracting Order", sco)
 
+	sco.check_permission("write")
 	sco.update_status(status)

erpnext/support/doctype/issue/issue.py

@@ -118,7 +118,9 @@ class Issue(Document):
 		communication.save()
 
 	@frappe.whitelist()
-	def split_issue(self, subject, communication_id):
+	def split_issue(self, subject: str, communication_id: str):
+		self.check_permission("write")
+
 		# Bug: Pressing enter doesn't send subject
 		from copy import deepcopy
 
@@ -274,7 +276,7 @@ def make_task(source_name, target_doc=None):
 
 
 @frappe.whitelist()
-def make_issue_from_communication(communication, ignore_communication_links=False):
+def make_issue_from_communication(communication: str, ignore_communication_links: bool = False):
 	"""raise a issue from email"""
 
 	doc = frappe.get_doc("Communication", communication)
@@ -286,7 +288,7 @@ def make_issue_from_communication(communication, ignore_communication_links=Fals
 			"raised_by": doc.sender or "",
 			"raised_by_phone": doc.phone_no or "",
 		}
-	).insert(ignore_permissions=True)
+	).insert()
 
 	link_communication_to_document(doc, "Issue", issue.name, ignore_communication_links)