From defa1d4a766f3fbfc86982885ba4def73a9bba32 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Thu, 19 Mar 2026 20:49:53 +0530
Subject: [PATCH] fix: validate permission before updating status (backport
 #53651) (#53652)

* fix: validate permission before updating status (#53651)

(cherry picked from commit 8e17c722fbb2c685d215d7daf309eb856282050c)

# Conflicts:
#	erpnext/buying/doctype/purchase_order/purchase_order.py
#	erpnext/selling/doctype/sales_order/sales_order.py
#	erpnext/stock/doctype/purchase_receipt/purchase_receipt.py

* chore: resolve conflicts

---------

Co-authored-by: diptanilsaha <diptanil@frappe.io>
---
 erpnext/buying/doctype/purchase_order/purchase_order.py    | 2 ++
 erpnext/selling/doctype/sales_order/sales_order.py         | 2 ++
 erpnext/stock/doctype/purchase_receipt/purchase_receipt.py | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/erpnext/buying/doctype/purchase_order/purchase_order.py b/erpnext/buying/doctype/purchase_order/purchase_order.py
index 5d1513df9b2..815ffd2a609 100644
--- a/erpnext/buying/doctype/purchase_order/purchase_order.py
+++ b/erpnext/buying/doctype/purchase_order/purchase_order.py
@@ -912,6 +912,8 @@ def get_list_context(context=None):
 
 @frappe.whitelist()
 def update_status(status, name):
+	frappe.has_permission("Purchase Order", "write", name, throw=True)
+
 	po = frappe.get_doc("Purchase Order", name)
 	po.update_status(status)
 	po.update_delivered_qty_in_sales_order()
diff --git a/erpnext/selling/doctype/sales_order/sales_order.py b/erpnext/selling/doctype/sales_order/sales_order.py
index dbd7f406432..68fa73fd0e4 100755
--- a/erpnext/selling/doctype/sales_order/sales_order.py
+++ b/erpnext/selling/doctype/sales_order/sales_order.py
@@ -1681,6 +1681,8 @@ def make_work_orders(items, sales_order, company, project=None):
 
 @frappe.whitelist()
 def update_status(status, name):
+	frappe.has_permission("Sales Order", "write", name, throw=True)
+
 	so = frappe.get_doc("Sales Order", name)
 	so.update_status(status)
 
diff --git a/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py b/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
index b2e2e7dac84..7e9036f51e7 100644
--- a/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
+++ b/erpnext/stock/doctype/purchase_receipt/purchase_receipt.py
@@ -1414,6 +1414,8 @@ def make_purchase_return(source_name, target_doc=None):
 
 @frappe.whitelist()
 def update_purchase_receipt_status(docname, status):
+	frappe.has_permission("Purchase Receipt", "write", docname, throw=True)
+
 	pr = frappe.get_doc("Purchase Receipt", docname)
 	pr.update_status(status)