From b66c8d4f7da28bbe6f60ba2348a1b111e08639c1 Mon Sep 17 00:00:00 2001
From: Charles-Henri Decultot <chdecultot@dokos.io>
Date: Mon, 30 Jun 2025 17:17:09 +0200
Subject: [PATCH] fix: check permissions before fetching timeline data

---
 erpnext/accounts/party.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/erpnext/accounts/party.py b/erpnext/accounts/party.py
index af6fac10fe..2a4e31b9d2 100644
--- a/erpnext/accounts/party.py
+++ b/erpnext/accounts/party.py
@@ -878,6 +878,9 @@ def get_timeline_data(doctype, name, included_doctypes=None):
 
 	data = list(communication_data)
 	for doctype in included_doctypes:
+		if not frappe.has_permission(doctype, "read"):
+			continue
+
 		data.extend(
 			frappe.get_list(
 				doctype["name"],
-- 
GitLab