diff --git a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
index 90d078eb2b5..42ba9004150 100644
--- a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
+++ b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
@@ -481,6 +481,11 @@ def create_supplier_quotation(doc: str | Document | dict):
 	if isinstance(doc, str):
 		doc = json.loads(doc)
 
+	if frappe.session.user not in frappe.get_all(
+		"Portal User", {"parent": doc.get("supplier")}, pluck="user"
+	):
+		frappe.throw(_("Not Permitted"), frappe.PermissionError)
+
 	try:
 		sq_doc = frappe.get_doc(
 			{
diff --git a/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py b/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
index 482b5899ec3..6f28a15451b 100644
--- a/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
+++ b/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
@@ -263,6 +263,13 @@ def make_request_for_quotation(**args):
 
 	for data in supplier_data:
 		rfq.append("suppliers", data)
+		frappe.new_doc(
+			"Portal User",
+			user="Administrator",
+			parent=data.get("supplier"),
+			parentfield="portal_users",
+			parenttype="Supplier",
+		).insert()
 
 	rfq.append(
 		"items",