diff --git a/src/controllers/06-request-list-controller.ts b/src/controllers/06-request-list-controller.ts
index bfd9712..5857be2 100644
--- a/src/controllers/06-request-list-controller.ts
+++ b/src/controllers/06-request-list-controller.ts
@@ -269,7 +269,7 @@ export class RequestDataActionController extends Controller {
     return result[0];
   }
 
-  @Post("request-work/${requestWorkId}/reject-request-cancel")
+  @Post("request-work/{requestWorkId}/reject-request-cancel")
   @Security("keycloak")
   async rejectWorkRequestCancel(
     @Request() req: RequestWithUser,
@@ -303,7 +303,20 @@ export class RequestDataActionController extends Controller {
 
   @Post("cancel")
   @Security("keycloak")
-  async cancelRequestData(@Path() requestDataId: string) {
+  async cancelRequestData(@Request() req: RequestWithUser, @Path() requestDataId: string) {
+    const result = await prisma.requestData.findFirst({
+      where: {
+        id: requestDataId,
+        quotation: {
+          registeredBranch: {
+            OR: permissionCond(req.user),
+          },
+        },
+      },
+    });
+
+    if (!result) throw notFoundError("Request Data");
+
     await prisma.$transaction(async (tx) => {
       const workStepCondition = {
         requestWork: { requestDataId },