From a5c83dd11ec27030bd29e62a3210afbe89ad090a Mon Sep 17 00:00:00 2001 From: ruthra kumar Date: Mon, 16 Feb 2026 13:19:10 +0530 Subject: [PATCH] fix: better permissions on make payment request (cherry picked from commit f36962fc5842361872caccc13ec56567a5c1e203) --- .../accounts/doctype/payment_request/payment_request.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/erpnext/accounts/doctype/payment_request/payment_request.py b/erpnext/accounts/doctype/payment_request/payment_request.py index 0b119512f7b..fd28dab5a29 100644 --- a/erpnext/accounts/doctype/payment_request/payment_request.py +++ b/erpnext/accounts/doctype/payment_request/payment_request.py @@ -539,8 +539,6 @@ class PaymentRequest(Document): def make_payment_request(**args): """Make payment request""" - frappe.has_permission(doctype="Payment Request", ptype="write", throw=True) - args = frappe._dict(args) if args.dt not in ALLOWED_DOCTYPES_FOR_PAYMENT_REQUEST: frappe.throw(_("Payment Requests cannot be created against: {0}").format(frappe.bold(args.dt))) @@ -548,6 +546,9 @@ def make_payment_request(**args): if args.dn and not isinstance(args.dn, str): frappe.throw(_("Invalid parameter. 'dn' should be of type str")) + frappe.has_permission("Payment Request", "create", throw=True) + frappe.has_permission(args.dt, "read", args.dn, throw=True) + ref_doc = args.ref_doc or frappe.get_doc(args.dt, args.dn) if not args.get("company"): args.company = ref_doc.company @@ -821,7 +822,7 @@ def get_print_format_list(ref_doctype): return {"print_format": print_format_list} -@frappe.whitelist(allow_guest=True) +@frappe.whitelist() def resend_payment_email(docname): return frappe.get_doc("Payment Request", docname).send_email()