From b755ca12ca2afd3e5587b81fd280820a298fbec5 Mon Sep 17 00:00:00 2001
From: ruthra kumar <ruthra@erpnext.com>
Date: Wed, 4 Feb 2026 16:54:51 +0530
Subject: [PATCH] fix: enfore permission on make_payment_request

---
 erpnext/accounts/doctype/payment_request/payment_request.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/erpnext/accounts/doctype/payment_request/payment_request.py b/erpnext/accounts/doctype/payment_request/payment_request.py
index 7d21a4ba41a..0b119512f7b 100644
--- a/erpnext/accounts/doctype/payment_request/payment_request.py
+++ b/erpnext/accounts/doctype/payment_request/payment_request.py
@@ -535,10 +535,12 @@ class PaymentRequest(Document):
 				row_number += TO_SKIP_NEW_ROW
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist()
 def make_payment_request(**args):
 	"""Make payment request"""
 
+	frappe.has_permission(doctype="Payment Request", ptype="write", throw=True)
+
 	args = frappe._dict(args)
 	if args.dt not in ALLOWED_DOCTYPES_FOR_PAYMENT_REQUEST:
 		frappe.throw(_("Payment Requests cannot be created against: {0}").format(frappe.bold(args.dt)))