From 699f132d053aaa9d3a1a08f84400192683556029 Mon Sep 17 00:00:00 2001
From: Suraj Shetty <surajshetty3416@gmail.com>
Date: Thu, 9 May 2019 14:16:49 +0530
Subject: [PATCH 1/2] fix: Show "Merge Account" button only to users with write
 access

---
 erpnext/accounts/doctype/account/account.js | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/erpnext/accounts/doctype/account/account.js b/erpnext/accounts/doctype/account/account.js
index bb059f673c..f7f1a5fb15 100644
--- a/erpnext/accounts/doctype/account/account.js
+++ b/erpnext/accounts/doctype/account/account.js
@@ -42,15 +42,14 @@ frappe.ui.form.on('Account', {
 				// show / hide convert buttons
 				frm.trigger('add_toolbar_buttons');
 			}
-			frm.add_custom_button(__('Update Account Name / Number'), function () {
-				frm.trigger("update_account_number");
-			});
-		}
-
-		if(!frm.doc.__islocal) {
-			frm.add_custom_button(__('Merge Account'), function () {
-				frm.trigger("merge_account");
-			});
+			if (frm.has_perm('write')) {
+				frm.add_custom_button(__('Update Account Name / Number'), function () {
+					frm.trigger("update_account_number");
+				});
+				frm.add_custom_button(__('Merge Account'), function () {
+					frm.trigger("merge_account");
+				});
+			}
 		}
 	},
 	account_type: function (frm) {

From b68ae15dec42413e47a985d031e90f5dd8b4b9ba Mon Sep 17 00:00:00 2001
From: Suraj Shetty <surajshetty3416@gmail.com>
Date: Thu, 9 May 2019 14:18:41 +0530
Subject: [PATCH 2/2] fix: Check permissions before renaming the account

---
 erpnext/accounts/doctype/account/account.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/erpnext/accounts/doctype/account/account.py b/erpnext/accounts/doctype/account/account.py
index ecf67dd1db..68efe37719 100644
--- a/erpnext/accounts/doctype/account/account.py
+++ b/erpnext/accounts/doctype/account/account.py
@@ -268,7 +268,7 @@ def update_account_number(name, account_name, account_number=None):
 
 	new_name = get_account_autoname(account_number, account_name, account.company)
 	if name != new_name:
-		frappe.rename_doc("Account", name, new_name, ignore_permissions=1)
+		frappe.rename_doc("Account", name, new_name, force=1)
 		return new_name
 
 @frappe.whitelist()
@@ -287,7 +287,7 @@ def merge_account(old, new, is_group, root_type, company):
 		frappe.db.set_value("Account", new, "parent_account",
 			frappe.db.get_value("Account", old, "parent_account"))
 
-	frappe.rename_doc("Account", old, new, merge=1, ignore_permissions=1)
+	frappe.rename_doc("Account", old, new, merge=1, force=1)
 
 	return new