From c19dd276ba814f1e7b2c8e0a388f077b0051b4c0 Mon Sep 17 00:00:00 2001
From: Shrihari Mahabal <shriharimahabal08@gmail.com>
Date: Fri, 24 Apr 2026 17:10:50 +0530
Subject: [PATCH] fix: add perm check on user email awaiting

---
 frappe/core/doctype/user/user.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py
index f31b400e32..1f05fc17ef 100644
--- a/frappe/core/doctype/user/user.py
+++ b/frappe/core/doctype/user/user.py
@@ -1038,6 +1038,9 @@ def has_email_account(email: str):
 
 @frappe.whitelist(allow_guest=False)
 def get_email_awaiting(user: str):
+	if user != frappe.session.user:
+		frappe.has_permission("User", "read", doc=user, throw=True)
+
 	return frappe.get_all(
 		"User Email",
 		fields=["email_account", "email_id"],