From 5175050ed69c3a40407b050eaad7ba4b0dd93610 Mon Sep 17 00:00:00 2001
From: Jannat Patel <pateljannat2308@gmail.com>
Date: Mon, 19 Jan 2026 18:33:14 +0530
Subject: [PATCH] fix: allow enabled server script endpoints

---
 lms/auth.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lms/auth.py b/lms/auth.py
index 7ad9354b..7fc9be03 100644
--- a/lms/auth.py
+++ b/lms/auth.py
@@ -61,6 +61,16 @@ def authenticate():
 	if path.startswith("/lms") or path.startswith("/api/method/lms."):
 		return
 
+	if is_server_script_path(path):
+		return
+
 	if path in ALLOWED_PATHS:
 		return
 	frappe.throw(f"Access not allowed for this URL: {path}", frappe.PermissionError)
+
+
+def is_server_script_path(path):
+	endpoint = path.split("/api/method/")[-1]
+	if frappe.db.exists("Server Script", {"script_type": "API", "api_method": endpoint, "disabled": 0}):
+		return True
+	return False