From 3a3a83b6444bead9a2ff149a5fbe6c1d01d4b61c Mon Sep 17 00:00:00 2001
From: Sagar Vora <16315650+sagarvora@users.noreply.github.com>
Date: Mon, 1 Dec 2025 20:37:18 +0530
Subject: [PATCH] refactor: remove redundant child table permission checks

The `check_parent_permission` calls in client.py are redundant because
`frappe.has_permission` already handles child tables via `has_child_permission`,
which performs the same validations plus additional permlevel checks.
---
 frappe/client.py         |  7 -------
 frappe/model/db_query.py | 16 ----------------
 2 files changed, 23 deletions(-)

diff --git a/frappe/client.py b/frappe/client.py
index 6088f8a36a..b6d3fedb49 100644
--- a/frappe/client.py
+++ b/frappe/client.py
@@ -9,7 +9,6 @@ import frappe.model
 import frappe.utils
 from frappe import _
 from frappe.desk.reportview import validate_args
-from frappe.model.db_query import check_parent_permission
 from frappe.model.utils import is_virtual_doctype
 from frappe.utils import attach_expanded_links, get_safe_filters
 from frappe.utils.caching import http_cache
@@ -47,8 +46,6 @@ def get_list(
 	:param order_by: Order by this fieldname
 	:param limit_start: Start at this index
 	:param limit_page_length: Number of records to be returned (default 20)"""
-	if frappe.is_table(doctype):
-		check_parent_permission(parent, doctype)
 
 	args = frappe._dict(
 		doctype=doctype,
@@ -90,8 +87,6 @@ def get(doctype, name=None, filters=None, parent=None):
 	:param doctype: DocType of the document to be returned
 	:param name: return document of this `name`
 	:param filters: If name is not set, filter by these values and return the first match"""
-	if frappe.is_table(doctype):
-		check_parent_permission(parent, doctype)
 
 	if name:
 		doc = frappe.get_doc(doctype, name)
@@ -113,8 +108,6 @@ def get_value(doctype, fieldname, filters=None, as_dict=True, debug=False, paren
 	:param doctype: DocType to be queried
 	:param fieldname: Field to be returned (default `name`)
 	:param filters: dict or string for identifying the record"""
-	if frappe.is_table(doctype):
-		check_parent_permission(parent, doctype)
 
 	if not frappe.has_permission(doctype, parent_doctype=parent):
 		frappe.throw(_("No permission for {0}").format(_(doctype)), frappe.PermissionError)
diff --git a/frappe/model/db_query.py b/frappe/model/db_query.py
index ae39b9913c..bf8f597cfc 100644
--- a/frappe/model/db_query.py
+++ b/frappe/model/db_query.py
@@ -1350,22 +1350,6 @@ def cast_name(column: str) -> str:
 	return column
 
 
-def check_parent_permission(parent, child_doctype):
-	if parent:
-		# User may pass fake parent and get the information from the child table
-		if child_doctype and not (
-			frappe.db.exists("DocField", {"parent": parent, "options": child_doctype})
-			or frappe.db.exists("Custom Field", {"dt": parent, "options": child_doctype})
-		):
-			raise frappe.PermissionError
-
-		if frappe.permissions.has_permission(parent):
-			return
-
-	# Either parent not passed or the user doesn't have permission on parent doctype of child table!
-	raise frappe.PermissionError
-
-
 def get_order_by(doctype, meta):
 	order_by = ""