Merge pull request #52419 from ruthra-kumar/plug_payment_request_vulnerability

fix: enfore permission on make_payment_request
2026-02-12 17:23:38 +00:00 · 2026-02-04 17:44:27 +05:30
parent 3b45485351 b755ca12ca
commit a3bd73b9db
1 changed files with 3 additions and 1 deletions
--- a/erpnext/accounts/doctype/payment_request/payment_request.py
+++ b/erpnext/accounts/doctype/payment_request/payment_request.py
@@ -535,10 +535,12 @@ class PaymentRequest(Document):
 				row_number += TO_SKIP_NEW_ROW


-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist()
 def make_payment_request(**args):
 	"""Make payment request"""

+	frappe.has_permission(doctype="Payment Request", ptype="write", throw=True)
+
 	args = frappe._dict(args)
 	if args.dt not in ALLOWED_DOCTYPES_FOR_PAYMENT_REQUEST:
 		frappe.throw(_("Payment Requests cannot be created against: {0}").format(frappe.bold(args.dt)))