From 56c602e94df77b707bf40e3a44b93df18fb9c229 Mon Sep 17 00:00:00 2001
From: Shrihari Mahabal <shriharimahabal08@gmail.com>
Date: Mon, 27 Apr 2026 18:00:47 +0530
Subject: [PATCH] fix: add perm check to document follow

---
 frappe/desk/form/document_follow.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/frappe/desk/form/document_follow.py b/frappe/desk/form/document_follow.py
index 39f5f1530e..ba87256fa4 100644
--- a/frappe/desk/form/document_follow.py
+++ b/frappe/desk/form/document_follow.py
@@ -58,6 +58,9 @@ def follow_document(doctype: str, doc_name: str, user: str) -> Document | bool:
 		frappe.toast(_("Administrator can't follow"))
 		return False
 
+	if user != frappe.session.user and not frappe.has_permission("Document Follow", "write"):
+		frappe.throw(_("You can only follow documents for yourself."), frappe.PermissionError)
+
 	if not frappe.db.get_value("User", user, "document_follow_notify", ignore=True, cache=True):
 		frappe.toast(_("Document follow is not enabled for this user."))
 		return False
@@ -74,6 +77,9 @@ def follow_document(doctype: str, doc_name: str, user: str) -> Document | bool:
 
 @frappe.whitelist()
 def unfollow_document(doctype: str, doc_name: str, user: str) -> bool:
+	if user != frappe.session.user:
+		frappe.throw(_("You can only unfollow documents for yourself."), frappe.PermissionError)
+
 	doc = frappe.get_all(
 		"Document Follow",
 		filters={"ref_doctype": doctype, "ref_docname": doc_name, "user": user},