fix: Check Reference Doctype perms & control indicator change

- Don’t change indicator on filter change if user can’t write to board. They can’t save filters
- Invoke `update_order` on Kanban board init() only if user has `write` access to reference doctype (non-deliberate invocation)
- All deliberate invocations of `update_order` via UI actions are blocked/hidden without `write` access
- Remove elements with no access instead of hiding to avoid inspect element hacks
- Card Actions: Block card dragging if no `write` access to reference doctype
- Card Actions: Block card adding  if no `create` access to reference doctype

(cherry picked from commit d6bdd63)

frappe/client.py

@@ -306,6 +306,7 @@ def has_permission(doctype, docname, perm_type="read"):
 	# perm_type can be one of read, write, create, submit, cancel, report
 	return {"has_permission": frappe.has_permission(doctype, perm_type.lower(), docname)}
 
+
 @frappe.whitelist()
 def get_doc_permissions(doctype, docname):
 	"""Returns an evaluated document permissions dict like `{"read":1, "write":1}`
@@ -316,6 +317,7 @@ def get_doc_permissions(doctype, docname):
 	doc = frappe.get_doc(doctype, docname)
 	return {"permissions": frappe.permissions.get_doc_permissions(doc)}
 
+
 @frappe.whitelist()
 def get_password(doctype, name, fieldname):
 	"""Return a password type property. Only applicable for System Managers

frappe/public/js/frappe/views/kanban/kanban_board.bundle.js

@@ -326,7 +326,12 @@ frappe.provide("frappe.views");
 			store.watch((state, getters) => {
 				return state.empty_state;
 			}, show_empty_state);
-			store.dispatch("update_order");
+
+			if (frappe.model.can_write(store.state.doctype)) {
+				// Check for reference doctype access before initiating
+				// non-deliberate action
+				store.dispatch("update_order");
+			}
 		}
 
 		function prepare() {
@@ -377,7 +382,7 @@ frappe.provide("frappe.views");
 		function bind_add_column() {
 			if (!self.board_perms.write) {
 				// If no write access, editing board (by adding column) should be blocked
-				self.$kanban_board.find(".add-new-column").hide();
+				self.$kanban_board.find(".add-new-column").remove();
 				return;
 			}
 
@@ -576,6 +581,9 @@ frappe.provide("frappe.views");
 		}
 
 		function setup_sortable() {
+			// Block card dragging/record editing without 'write' access
+			if (!frappe.model.can_write(store.state.doctype)) return;
+
 			Sortable.create(self.$kanban_cards.get(0), {
 				group: "cards",
 				animation: 150,
@@ -609,6 +617,14 @@ frappe.provide("frappe.views");
 			var $wrapper = self.$kanban_column;
 			var $btn_add = $wrapper.find(".add-card");
 			var $new_card_area = $wrapper.find(".new-card-area");
+
+			if (!frappe.model.can_create(store.state.doctype)) {
+				// Block record/card creation without 'create' access
+				$btn_add.remove();
+				$new_card_area.remove();
+				return;
+			}
+
 			var $textarea = $new_card_area.find("textarea");
 
 			//Add card button
@@ -652,7 +668,7 @@ frappe.provide("frappe.views");
 		function bind_options() {
 			if (!board_perms.write) {
 				// If no write access, column options should be hidden
-				self.$kanban_column.find(".column-options").hide();
+				self.$kanban_column.find(".column-options").remove();
 				return;
 			}
 

frappe/public/js/frappe/views/kanban/kanban_view.js

@@ -151,6 +151,8 @@ frappe.views.KanbanView = class KanbanView extends frappe.views.ListView {
 	render_list() {}
 
 	on_filter_change() {
+		if (!this.board_perms.write) return; // avoid misleading ux
+
 		if (JSON.stringify(this.board.filters_array) !== JSON.stringify(this.filter_area.get())) {
 			this.page.set_indicator(__("Not Saved"), "orange");
 		} else {