From f06e20d993622af519505488c6df55ff8fe458ac Mon Sep 17 00:00:00 2001 From: ruthra kumar Date: Mon, 16 Feb 2026 13:19:10 +0530 Subject: [PATCH] fix: better permissions on make payment request (cherry picked from commit f36962fc5842361872caccc13ec56567a5c1e203) --- erpnext/accounts/doctype/payment_request/payment_request.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/erpnext/accounts/doctype/payment_request/payment_request.py b/erpnext/accounts/doctype/payment_request/payment_request.py index 752085e5f99..86e93e1d783 100644 --- a/erpnext/accounts/doctype/payment_request/payment_request.py +++ b/erpnext/accounts/doctype/payment_request/payment_request.py @@ -548,6 +548,9 @@ def make_payment_request(**args): if args.dn and not isinstance(args.dn, str): frappe.throw(_("Invalid parameter. 'dn' should be of type str")) + frappe.has_permission("Payment Request", "create", throw=True) + frappe.has_permission(args.dt, "read", args.dn, throw=True) + ref_doc = args.ref_doc or frappe.get_doc(args.dt, args.dn) if not args.get("company"): args.company = ref_doc.company @@ -822,7 +825,7 @@ def get_print_format_list(ref_doctype): return {"print_format": print_format_list} -@frappe.whitelist(allow_guest=True) +@frappe.whitelist() def resend_payment_email(docname): return frappe.get_doc("Payment Request", docname).send_email()