From 14eaff022c2651380c681cedf12c81363871c27d Mon Sep 17 00:00:00 2001
From: sokumon <sohamkulkarns9@gmail.com>
Date: Wed, 14 Jan 2026 13:20:03 +0530
Subject: [PATCH] fix: use allowed pages to check perms

---
 frappe/boot.py                                           | 6 +++---
 .../desk/doctype/workspace_sidebar/workspace_sidebar.py  | 9 ++-------
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/frappe/boot.py b/frappe/boot.py
index c1f572f995..b409e36b99 100644
--- a/frappe/boot.py
+++ b/frappe/boot.py
@@ -161,8 +161,8 @@ def load_desktop_data(bootinfo):
 	from frappe.desk.desktop import get_workspace_sidebar_items
 
 	bootinfo.workspaces = get_workspace_sidebar_items()
-	bootinfo.workspace_sidebar_item = get_sidebar_items()
 	allowed_pages = [d.name for d in bootinfo.workspaces.get("pages")]
+	bootinfo.workspace_sidebar_item = get_sidebar_items(allowed_pages)
 	bootinfo.module_wise_workspaces = get_controller("Workspace").get_module_wise_workspaces()
 	bootinfo.dashboards = frappe.get_all("Dashboard")
 	bootinfo.app_data = []
@@ -533,7 +533,7 @@ def get_sentry_dsn():
 	return os.getenv("FRAPPE_SENTRY_DSN")
 
 
-def get_sidebar_items():
+def get_sidebar_items(allowed_workspaces):
 	from frappe import _
 	from frappe.desk.doctype.workspace_sidebar.workspace_sidebar import auto_generate_sidebar_from_module
 
@@ -585,7 +585,7 @@ def get_sidebar_items():
 			if (
 				"My Workspaces" in sidebar_title
 				or si.type == "Section Break"
-				or w.is_item_allowed(si.link_to, si.link_type)
+				or w.is_item_allowed(si.link_to, si.link_type, allowed_workspaces)
 			):
 				sidebar_items[sidebar_title.lower()]["items"].append(workspace_sidebar)
 	add_user_specific_sidebar(sidebar_items)
diff --git a/frappe/desk/doctype/workspace_sidebar/workspace_sidebar.py b/frappe/desk/doctype/workspace_sidebar/workspace_sidebar.py
index d6390ca036..f3448894b9 100644
--- a/frappe/desk/doctype/workspace_sidebar/workspace_sidebar.py
+++ b/frappe/desk/doctype/workspace_sidebar/workspace_sidebar.py
@@ -77,7 +77,7 @@ class WorkspaceSidebar(Document):
 		else:
 			frappe.throw(_("You need to be Workspace Manager to delete a public workspace."))
 
-	def is_item_allowed(self, name, item_type):
+	def is_item_allowed(self, name, item_type, allowed_workspaces):
 		if frappe.session.user == "Administrator":
 			return True
 
@@ -100,12 +100,7 @@ class WorkspaceSidebar(Document):
 		if item_type == "url":
 			return True
 		if item_type == "workspace":
-			try:
-				workspace = frappe.get_cached_doc("Workspace", name)
-				if workspace.module in self.allowed_modules:
-					return True
-			except frappe.DoesNotExistError:
-				return False
+			return name in allowed_workspaces
 
 	def get_cached(self, cache_key, fallback_fn):
 		value = frappe.cache.get_value(cache_key, user=frappe.session.user)