From 8e17c722fbb2c685d215d7daf309eb856282050c Mon Sep 17 00:00:00 2001
From: diptanilsaha <diptanil@frappe.io>
Date: Thu, 19 Mar 2026 20:19:29 +0530
Subject: [PATCH] fix: validate permission before updating status (#53651)

---
 erpnext/buying/doctype/purchase_order/purchase_order.py    | 2 +-
 erpnext/selling/doctype/sales_order/sales_order.py         | 2 +-
 erpnext/stock/doctype/purchase_receipt/purchase_receipt.py | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/erpnext/buying/doctype/purchase_order/purchase_order.py b/erpnext/buying/doctype/purchase_order/purchase_order.py
index 2b287d51d8d..38411bca451 100644
--- a/erpnext/buying/doctype/purchase_order/purchase_order.py
+++ b/erpnext/buying/doctype/purchase_order/purchase_order.py
@@ -894,7 +894,7 @@ def get_list_context(context=None):
 
 @frappe.whitelist()
 def update_status(status: str, name: str):
-	po = frappe.get_lazy_doc("Purchase Order", name)
+	po = frappe.get_lazy_doc("Purchase Order", name, check_permission="write")
 	po.update_status(status)
 	po.update_delivered_qty_in_sales_order()
 
diff --git a/erpnext/selling/doctype/sales_order/sales_order.py b/erpnext/selling/doctype/sales_order/sales_order.py
index 83db66824cd..670ba74ba53 100755
--- a/erpnext/selling/doctype/sales_order/sales_order.py
+++ b/erpnext/selling/doctype/sales_order/sales_order.py
@@ -1815,7 +1815,7 @@ def make_work_orders(items: str, sales_order: str, company: str, project: str |
 
 @frappe.whitelist()
 def update_status(status: str, name: str):
-	so = frappe.get_doc("Sales Order", name)
+	so = frappe.get_doc("Sales Order", name, check_permission="write")
 	so.update_status(status)
 
 
diff --git a/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py b/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
index 54863504546..62c59fa9691 100644
--- a/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
+++ b/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
@@ -1581,7 +1581,7 @@ def make_purchase_return(source_name: str, target_doc: str | Document | None = N
 
 @frappe.whitelist()
 def update_purchase_receipt_status(docname: str, status: str):
-	pr = frappe.get_lazy_doc("Purchase Receipt", docname)
+	pr = frappe.get_lazy_doc("Purchase Receipt", docname, check_permission="write")
 	pr.update_status(status)