Merge pull request #52789 from frappe/mergify/bp/version-15/pr-52763

fix: better permissions on make payment request (backport #52763)

Author: ruthra-kumar

erpnext/accounts/doctype/payment_request/payment_request.py

@@ -548,6 +548,9 @@ def make_payment_request(**args):
 	if args.dn and not isinstance(args.dn, str):
 		frappe.throw(_("Invalid parameter. 'dn' should be of type str"))
 
+	frappe.has_permission("Payment Request", "create", throw=True)
+	frappe.has_permission(args.dt, "read", args.dn, throw=True)
+
 	ref_doc = args.ref_doc or frappe.get_doc(args.dt, args.dn)
 	if not args.get("company"):
 		args.company = ref_doc.company
@@ -822,7 +825,7 @@ def get_print_format_list(ref_doctype):
 	return {"print_format": print_format_list}
 
 
-@frappe.whitelist(allow_guest=True)
+@frappe.whitelist()
 def resend_payment_email(docname):
 	return frappe.get_doc("Payment Request", docname).send_email()