diff --git a/src/controllers/06-request-list-controller.ts b/src/controllers/06-request-list-controller.ts
index f1b4ac1..56091a0 100644
--- a/src/controllers/06-request-list-controller.ts
+++ b/src/controllers/06-request-list-controller.ts
@@ -1,6 +1,11 @@
 import { Controller, Delete, Get, Path, Put, Query, Request, Route, Security, Tags } from "tsoa";
 import { RequestWithUser } from "../interfaces/user";
 import prisma from "../db";
+import { Prisma } from "@prisma/client";
+import { createPermCheck, createPermCondition } from "../services/permission";
+
+// User in company can see.
+const permissionCond = createPermCondition((_) => true);
 
 @Route("api/v1/request-list")
 @Tags("Request List")
@@ -12,8 +17,21 @@ export class RequestListController extends Controller {
     @Query() page: number = 1,
     @Query() pageSize: number = 30,
   ) {
+    const where = {
+      request: {
+        quotation: {
+          customerBranch: {
+            customer: {
+              registeredBranch: { OR: permissionCond(req.user) },
+            },
+          },
+        },
+      },
+    } satisfies Prisma.RequestWorkWhereInput;
+
     const [result, total] = await prisma.$transaction([
       prisma.requestWork.findMany({
+        where,
         include: {
           request: {
             include: {
@@ -32,7 +50,7 @@ export class RequestListController extends Controller {
         take: pageSize,
         skip: (page - 1) * pageSize,
       }),
-      prisma.requestWork.count(),
+      prisma.requestWork.count({ where }),
     ]);
 
     return { result, page, pageSize, total };