From 5992baeaff00df02de091d70fcc5bc5c3f1500bd Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Fri, 19 Dec 2025 19:04:10 +0530
Subject: [PATCH] fix(query): respect `validate_filters`

Block dot notation for link field access, and automatic child table detection as well

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/database/query.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/frappe/database/query.py b/frappe/database/query.py
index c06d511e51..2eb78c673a 100644
--- a/frappe/database/query.py
+++ b/frappe/database/query.py
@@ -772,6 +772,13 @@ class Engine:
 
 		# Handle dot notation (link_field.target_field or child_table_field.target_field)
 		if "." in field:
+			if self.validate_filters:
+				frappe.throw(
+					_("Filtering by link fields is not allowed with validate_filters: {0}").format(field),
+					frappe.ValidationError,
+					title=_("Invalid Filter"),
+				)
+
 			# Disallow tabDoc.field notation in filters.
 			dynamic_field = DynamicTableField.parse(field, self.doctype, allow_tab_notation=False)
 			if dynamic_field:
@@ -814,6 +821,14 @@ class Engine:
 			# If a specific doctype is provided and it's different from the main query doctype,
 			# assume it's a child table and add the join using ChildTableField logic.
 			if doctype and doctype != self.doctype:
+				if self.validate_filters:
+					frappe.throw(
+						_(
+							"Filtering by child table doctype explicitly is not allowed with validate_filters: {0}"
+						).format(doctype),
+						frappe.ValidationError,
+						title=_("Invalid Filter"),
+					)
 				# Check if doctype is a valid child table of self.doctype
 				parent_meta = frappe.get_meta(self.doctype)
 				# Find the parent fieldname for this child doctype