From a084bad5d5c5c2dc270d9f7af4f1d1bbf35ec102 Mon Sep 17 00:00:00 2001
From: Akhil Narang <me@akhilnarang.dev>
Date: Tue, 10 Mar 2026 13:43:59 +0530
Subject: [PATCH] fix(apply_field_permissions): improve checks

Signed-off-by: Akhil Narang <me@akhilnarang.dev>
---
 frappe/database/query.py | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/frappe/database/query.py b/frappe/database/query.py
index 5020d9cdb8..59b90ea377 100644
--- a/frappe/database/query.py
+++ b/frappe/database/query.py
@@ -83,7 +83,7 @@ def _apply_date_field_filter_conversion(value, operator: str, doctype: str, fiel
 		elif isinstance(value, datetime.datetime):
 			return value.date()
 
-	except (AttributeError, TypeError, KeyError):
+	except AttributeError, TypeError, KeyError:
 		pass
 
 	return value
@@ -669,7 +669,7 @@ class Engine:
 				else:
 					try:
 						fallback_value = int(fallback_sql)
-					except (ValueError, TypeError):
+					except ValueError, TypeError:
 						fallback_value = fallback_sql
 
 				return operator_fn(_field, ValueWrapper(fallback_value))
@@ -698,7 +698,7 @@ class Engine:
 				else:
 					try:
 						fallback_value = int(fallback_sql)
-					except (ValueError, TypeError):
+					except ValueError, TypeError:
 						fallback_value = fallback_sql
 
 				if fallback_value == _value:
@@ -1432,6 +1432,15 @@ class Engine:
 					# Skip child table fields if parent permission is only 'select'
 					continue
 
+				if field.parent_fieldname:
+					parent_meta = frappe.get_meta(self.doctype)
+					if parent_meta.get_field(
+						field.parent_fieldname
+					).permlevel not in parent_meta.get_permlevel_access(
+						parent_permission_type, user=self.user
+					):
+						continue
+
 				# Cache permitted fields for child doctypes if accessed multiple times
 				permitted_child_fields_set = self._get_cached_permitted_fields(
 					field.doctype,
@@ -1462,6 +1471,12 @@ class Engine:
 					# Skip child queries if parent permission is only 'select'
 					continue
 
+				parent_meta = frappe.get_meta(self.doctype)
+				if parent_meta.get_field(field.fieldname).permlevel not in parent_meta.get_permlevel_access(
+					parent_permission_type, user=self.user
+				):
+					continue
+
 				# Cache permitted fields for the child doctype of the query
 				permitted_child_fields_set = self._get_cached_permitted_fields(
 					field.doctype,