fix: add portal user ownership check to supplier quotation (backport #54298) (#54300)

Co-authored-by: Mihir Kandoi <kandoimihir@gmail.com>
fix: add portal user ownership check to supplier quotation (#54298)

erpnext/buying/doctype/request_for_quotation/request_for_quotation.py

@@ -477,6 +477,11 @@ def create_supplier_quotation(doc):
 	if isinstance(doc, str):
 		doc = json.loads(doc)
 
+	if frappe.session.user not in frappe.get_all(
+		"Portal User", {"parent": doc.get("supplier")}, pluck="user"
+	):
+		frappe.throw(_("Not Permitted"), frappe.PermissionError)
+
 	try:
 		sq_doc = frappe.get_doc(
 			{

erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py

@@ -264,6 +264,13 @@ def make_request_for_quotation(**args) -> "RequestforQuotation":
 
 	for data in supplier_data:
 		rfq.append("suppliers", data)
+		frappe.new_doc(
+			"Portal User",
+			user="Administrator",
+			parent=data.get("supplier"),
+			parentfield="portal_users",
+			parenttype="Supplier",
+		).insert()
 
 	rfq.append(
 		"items",