diff --git a/src/controllers/05-payment-controller.ts b/src/controllers/05-payment-controller.ts
index 1178f89..96c959d 100644
--- a/src/controllers/05-payment-controller.ts
+++ b/src/controllers/05-payment-controller.ts
@@ -210,6 +210,7 @@ export class PaymentController extends Controller {
   }
 
   @Get()
+  @Security("keycloak")
   async listAttachment(@Request() req: RequestWithUser, @Path() paymentId: string) {
     const { quotationId } = await this.checkPermission(req.user, paymentId);
     return await listFile(fileLocation.quotation.payment(quotationId, paymentId));
@@ -221,9 +222,16 @@ export class PaymentController extends Controller {
     @Path() paymentId: string,
     @Path() name: string,
   ) {
-    const { quotationId } = await this.checkPermission(req.user, paymentId);
+    const data = await prisma.payment.findUnique({
+      where: { id: paymentId },
+      include: { invoice: true },
+    });
+    if (!data) throw notFoundError("Payment");
     return req.res?.redirect(
-      await getPresigned("head", fileLocation.quotation.payment(quotationId, paymentId, name)),
+      await getPresigned(
+        "head",
+        fileLocation.quotation.payment(data.invoice.quotationId, paymentId, name),
+      ),
     );
   }
 
@@ -233,9 +241,13 @@ export class PaymentController extends Controller {
     @Path() paymentId: string,
     @Path() name: string,
   ) {
-    const { quotationId } = await this.checkPermission(req.user, paymentId);
+    const data = await prisma.payment.findUnique({
+      where: { id: paymentId },
+      include: { invoice: true },
+    });
+    if (!data) throw notFoundError("Payment");
     return req.res?.redirect(
-      await getFile(fileLocation.quotation.payment(quotationId, paymentId, name)),
+      await getFile(fileLocation.quotation.payment(data.invoice.quotationId, paymentId, name)),
     );
   }