diff --git a/erpnext/accounts/doctype/bank_reconciliation_tool/bank_reconciliation_tool.py b/erpnext/accounts/doctype/bank_reconciliation_tool/bank_reconciliation_tool.py
index 6f8ab21ccf7..59c3573b1b3 100644
--- a/erpnext/accounts/doctype/bank_reconciliation_tool/bank_reconciliation_tool.py
+++ b/erpnext/accounts/doctype/bank_reconciliation_tool/bank_reconciliation_tool.py
@@ -59,7 +59,7 @@ def get_bank_transactions(
 		filters.append(["date", "<=", to_date])
 	if from_date:
 		filters.append(["date", ">=", from_date])
-	transactions = frappe.get_all(
+	transactions = frappe.get_list(
 		"Bank Transaction",
 		fields=[
 			"date",
@@ -84,6 +84,7 @@ def get_bank_transactions(
 @frappe.whitelist()
 def get_account_balance(bank_account: str, till_date: str | date, company: str):
 	# returns account balance till the specified date
+	frappe.has_permission("Bank Account", "read", bank_account, throw=True)
 	account = frappe.db.get_value("Bank Account", bank_account, "account")
 	filters = frappe._dict(
 		{
diff --git a/erpnext/accounts/doctype/payment_request/payment_request.py b/erpnext/accounts/doctype/payment_request/payment_request.py
index 1ba9cf1675d..81ddd1de537 100644
--- a/erpnext/accounts/doctype/payment_request/payment_request.py
+++ b/erpnext/accounts/doctype/payment_request/payment_request.py
@@ -955,6 +955,7 @@ def resend_payment_email(docname: str):
 @frappe.whitelist()
 def make_payment_entry(docname: str):
 	doc = frappe.get_doc("Payment Request", docname)
+	doc.check_permission("read")
 	return doc.create_payment_entry(submit=False).as_dict()
 
 
diff --git a/erpnext/accounts/doctype/process_statement_of_accounts/process_statement_of_accounts.py b/erpnext/accounts/doctype/process_statement_of_accounts/process_statement_of_accounts.py
index 3994538059c..76b67860376 100644
--- a/erpnext/accounts/doctype/process_statement_of_accounts/process_statement_of_accounts.py
+++ b/erpnext/accounts/doctype/process_statement_of_accounts/process_statement_of_accounts.py
@@ -465,6 +465,8 @@ def get_customer_emails(customer_name: str, primary_mandatory: str | int, billin
 	when Is Billing Contact checked
 	and Primary email- email with Is Primary checked"""
 
+	frappe.has_permission("Customer", "read", customer_name, throw=True)
+
 	billing_email = frappe.db.sql(
 		"""
 		SELECT
@@ -508,6 +510,7 @@ def get_customer_emails(customer_name: str, primary_mandatory: str | int, billin
 @frappe.whitelist()
 def download_statements(document_name: str):
 	doc = frappe.get_doc("Process Statement Of Accounts", document_name)
+	doc.check_permission("read")
 	report = get_report_pdf(doc)
 	if report:
 		frappe.local.response.filename = doc.name + ".pdf"
diff --git a/erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.js b/erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.js
index f80126bcb0a..40ad8843871 100644
--- a/erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.js
+++ b/erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.js
@@ -28,28 +28,30 @@ frappe.query_reports["Stock Qty vs Batch Qty"] = {
 		},
 	],
 	onload: function (report) {
-		report.page.add_inner_button(__("Update Batch Qty"), function () {
-			let indexes = frappe.query_report.datatable.rowmanager.getCheckedRows();
-			let selected_rows = indexes
-				.map((i) => frappe.query_report.data[i])
-				.filter((row) => row.difference != 0);
+		if (frappe.model.can_write("Batch")) {
+			report.page.add_inner_button(__("Update Batch Qty"), function () {
+				let indexes = frappe.query_report.datatable.rowmanager.getCheckedRows();
+				let selected_rows = indexes
+					.map((i) => frappe.query_report.data[i])
+					.filter((row) => row.difference != 0);
 
-			if (selected_rows.length) {
-				frappe.call({
-					method: "erpnext.stock.report.stock_qty_vs_batch_qty.stock_qty_vs_batch_qty.update_batch_qty",
-					args: {
-						selected_batches: selected_rows,
-					},
-					callback: function (r) {
-						if (!r.exc) {
-							report.refresh();
-						}
-					},
-				});
-			} else {
-				frappe.msgprint(__("Please select at least one row with difference value"));
-			}
-		});
+				if (selected_rows.length) {
+					frappe.call({
+						method: "erpnext.stock.report.stock_qty_vs_batch_qty.stock_qty_vs_batch_qty.update_batch_qty",
+						args: {
+							selected_batches: selected_rows,
+						},
+						callback: function (r) {
+							if (!r.exc) {
+								report.refresh();
+							}
+						},
+					});
+				} else {
+					frappe.msgprint(__("Please select at least one row with difference value"));
+				}
+			});
+		}
 	},
 
 	formatter: function (value, row, column, data, default_formatter) {
diff --git a/erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.py b/erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.py
index df3dc62c27f..83ff83e869d 100644
--- a/erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.py
+++ b/erpnext/stock/report/stock_qty_vs_batch_qty/stock_qty_vs_batch_qty.py
@@ -101,6 +101,7 @@ def get_data(filters=None):
 
 @frappe.whitelist()
 def update_batch_qty(selected_batches: str | None = None):
+	frappe.has_permission("Batch", "write", throw=True, ignore_share_permissions=True)
 	if not selected_batches:
 		return