From db01c05eb878d9e36eebc435e08dd94d3abc7519 Mon Sep 17 00:00:00 2001
From: Ankush Menat <ankush@frappe.io>
Date: Tue, 31 Oct 2023 21:34:39 +0530
Subject: [PATCH] fix: enforce perms on global search

---
 frappe/utils/global_search.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/frappe/utils/global_search.py b/frappe/utils/global_search.py
index d310e1e8d5..88f201f41d 100644
--- a/frappe/utils/global_search.py
+++ b/frappe/utils/global_search.py
@@ -446,7 +446,9 @@ def search(text, start=0, limit=20, doctype=""):
 	results = []
 	sorted_results = []
 
-	allowed_doctypes = get_doctypes_for_global_search()
+	allowed_doctypes = set(get_doctypes_for_global_search()) & set(frappe.get_user().get_can_read())
+	if not allowed_doctypes or (doctype and doctype not in allowed_doctypes):
+		return []
 
 	for word in set(text.split("&")):
 		word = word.strip()
@@ -464,7 +466,7 @@ def search(text, start=0, limit=20, doctype=""):
 
 		if doctype:
 			query = query.where(global_search.doctype == doctype)
-		elif allowed_doctypes:
+		else:
 			query = query.where(global_search.doctype.isin(allowed_doctypes))
 
 		if cint(start) > 0: