From d7da5b047d5b7cf69da15d4269681c1fbff19957 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 06:13:11 +0000
Subject: [PATCH] fix: add portal user ownership check to supplier quotation
 (backport #54298) (#54300)

Co-authored-by: Mihir Kandoi <kandoimihir@gmail.com>
fix: add portal user ownership check to supplier quotation (#54298)
---
 .../doctype/request_for_quotation/request_for_quotation.py | 5 +++++
 .../request_for_quotation/test_request_for_quotation.py    | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
index 09d7d30ab39..03254c30f6e 100644
--- a/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
+++ b/erpnext/buying/doctype/request_for_quotation/request_for_quotation.py
@@ -477,6 +477,11 @@ def create_supplier_quotation(doc):
 	if isinstance(doc, str):
 		doc = json.loads(doc)
 
+	if frappe.session.user not in frappe.get_all(
+		"Portal User", {"parent": doc.get("supplier")}, pluck="user"
+	):
+		frappe.throw(_("Not Permitted"), frappe.PermissionError)
+
 	try:
 		sq_doc = frappe.get_doc(
 			{
diff --git a/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py b/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
index 9201f6c4f2d..36468a83dac 100644
--- a/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
+++ b/erpnext/buying/doctype/request_for_quotation/test_request_for_quotation.py
@@ -264,6 +264,13 @@ def make_request_for_quotation(**args) -> "RequestforQuotation":
 
 	for data in supplier_data:
 		rfq.append("suppliers", data)
+		frappe.new_doc(
+			"Portal User",
+			user="Administrator",
+			parent=data.get("supplier"),
+			parentfield="portal_users",
+			parenttype="Supplier",
+		).insert()
 
 	rfq.append(
 		"items",