fix: better permissions on make payment request

ruthra-kumar · mergify[bot] · commit a5c83dd11ec2 · 2026-02-18T06:58:42.000Z
(cherry picked from commit f36962f)
diff --git a/erpnext/accounts/doctype/payment_request/payment_request.py b/erpnext/accounts/doctype/payment_request/payment_request.py
@@ -539,15 +539,16 @@ def _allocate_payment_request_to_pe_references(self, references):
 def make_payment_request(**args):
 	"""Make payment request"""
 
-	frappe.has_permission(doctype="Payment Request", ptype="write", throw=True)
-
 	args = frappe._dict(args)
 	if args.dt not in ALLOWED_DOCTYPES_FOR_PAYMENT_REQUEST:
 		frappe.throw(_("Payment Requests cannot be created against: {0}").format(frappe.bold(args.dt)))
 
 	if args.dn and not isinstance(args.dn, str):
 		frappe.throw(_("Invalid parameter. 'dn' should be of type str"))
 
+	frappe.has_permission("Payment Request", "create", throw=True)
+	frappe.has_permission(args.dt, "read", args.dn, throw=True)
+
 	ref_doc = args.ref_doc or frappe.get_doc(args.dt, args.dn)
 	if not args.get("company"):
 		args.company = ref_doc.company
@@ -821,7 +822,7 @@ def get_print_format_list(ref_doctype):
 	return {"print_format": print_format_list}
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist()
 def resend_payment_email(docname):
 	return frappe.get_doc("Payment Request", docname).send_email()
 
