From a0de7c00bae785bcae4878ff6a63bea9d9081e30 Mon Sep 17 00:00:00 2001
From: UmakanthKaspa <kaspaumakanth1999@gmail.com>
Date: Sat, 20 Sep 2025 11:40:39 +0000
Subject: [PATCH 1/3] fix: prevent manual typing of restricted values in Link
 fields

---
 frappe/client.py              | 6 ++++++
 frappe/model/base_document.py | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/frappe/client.py b/frappe/client.py
index 8c893b5ce7..b74290cc4d 100644
--- a/frappe/client.py
+++ b/frappe/client.py
@@ -437,6 +437,12 @@ def validate_link(doctype: str, docname: str, fields=None):
 	if not values.name:
 		return values
 
+	if not frappe.has_permission(doctype, "read", doc=values.name):
+		frappe.throw(
+			_("You do not have permission to access {0} {1}").format(frappe.bold(doctype), frappe.bold(docname)),
+			frappe.PermissionError,
+		)
+
 	if not fields:
 		frappe.local.response_headers.set("Cache-Control", "private,max-age=1800,stale-while-revalidate=7200")
 		return values
diff --git a/frappe/model/base_document.py b/frappe/model/base_document.py
index 3a5057595e..ec3c618c44 100644
--- a/frappe/model/base_document.py
+++ b/frappe/model/base_document.py
@@ -991,6 +991,10 @@ class BaseDocument:
 			):
 				cancelled_links.append((df.fieldname, docname, get_msg(df, docname)))
 
+			elif values.name and not df.get("ignore_user_permissions"):
+				if not frappe.has_permission(doctype, "read", doc=values.name):
+					invalid_links.append((df.fieldname, docname, get_msg(df, docname)))
+
 		return invalid_links, cancelled_links
 
 	def set_fetch_from_value(self, doctype, df, values):

From 2ad7042cb35fea6faad98909b1cf6a5c522601df Mon Sep 17 00:00:00 2001
From: UmakanthKaspa <kaspaumakanth1999@gmail.com>
Date: Mon, 22 Sep 2025 10:14:17 +0000
Subject: [PATCH 2/3] style: format client.py with ruff-format

---
 frappe/client.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/frappe/client.py b/frappe/client.py
index b74290cc4d..cc6413ebc7 100644
--- a/frappe/client.py
+++ b/frappe/client.py
@@ -439,7 +439,9 @@ def validate_link(doctype: str, docname: str, fields=None):
 
 	if not frappe.has_permission(doctype, "read", doc=values.name):
 		frappe.throw(
-			_("You do not have permission to access {0} {1}").format(frappe.bold(doctype), frappe.bold(docname)),
+			_("You do not have permission to access {0} {1}").format(
+				frappe.bold(doctype), frappe.bold(docname)
+			),
 			frappe.PermissionError,
 		)
 

From 5fd295b8f267d9c629ee646bd24411889c03f488 Mon Sep 17 00:00:00 2001
From: UmakanthKaspa <kaspaumakanth1999@gmail.com>
Date: Sun, 12 Oct 2025 07:55:27 +0000
Subject: [PATCH 3/3] fix: Remove backend permission check from link validation

---
 frappe/model/base_document.py | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/frappe/model/base_document.py b/frappe/model/base_document.py
index ec3c618c44..3a5057595e 100644
--- a/frappe/model/base_document.py
+++ b/frappe/model/base_document.py
@@ -991,10 +991,6 @@ class BaseDocument:
 			):
 				cancelled_links.append((df.fieldname, docname, get_msg(df, docname)))
 
-			elif values.name and not df.get("ignore_user_permissions"):
-				if not frappe.has_permission(doctype, "read", doc=values.name):
-					invalid_links.append((df.fieldname, docname, get_msg(df, docname)))
-
 		return invalid_links, cancelled_links
 
 	def set_fetch_from_value(self, doctype, df, values):