Wizard with no access rules doesn't inherit model access rules by default
Purchase_request_quotation module add a new wizard on purchase_request. There's no access rules defined on this wizard. When using a user only with read access on purchase_request and purchase_request_quotation, you can still execute wizard.
I opened another issue to add missing rights access (#9029 (closed)) but wizard should herit access right of the underlying model.
I made some tests, problem seems in this test:
https://hg.tryton.org/trytond/file/default/trytond/ir/model.py#l559
With non-root user, IF result is True (raise_exception = True and Transaction().context.get('_check_access') is None)