diff --git a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
index 73ff7545ca5..791dc3088bc 100644
--- a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
+++ b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
@@ -474,6 +474,11 @@ def create_supplier_quotation(doc):
 	if isinstance(doc, str):
 		doc = json.loads(doc)
 
+	if frappe.session.user not in frappe.get_all(
+		"Portal User", {"parent": doc.get("supplier")}, pluck="user"
+	):
+		frappe.throw(_("Not Permitted"), frappe.PermissionError)
+
 	try:
 		sq_doc = frappe.get_doc(
 			{
diff --git a/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py b/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
index c2578c49080..a92d8d95626 100644
--- a/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
+++ b/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
@@ -263,6 +263,13 @@ def make_request_for_quotation(**args) -> "RequestforQuotation":
 
 	for data in supplier_data:
 		rfq.append("suppliers", data)
+		frappe.new_doc(
+			"Portal User",
+			user="Administrator",
+			parent=data.get("supplier"),
+			parentfield="portal_users",
+			parenttype="Supplier",
+		).insert()
 
 	rfq.append(
 		"items",