diff --git a/BMA.EHR.Leave/Controllers/LeaveRequestController.cs b/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
index 9dd6664f..4e38fcae 100644
--- a/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
+++ b/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
@@ -1314,6 +1314,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> ApproveCancelLeaveRequestAsync(Guid id,
             [FromBody] CancelLeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.ApproveCancelLeaveRequestAsync(id, req.Reason ?? "");
 
             return Success();
@@ -1335,6 +1341,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> RejectCancelLeaveRequestAsync(Guid id,
             [FromBody] CancelLeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.RejectCancelLeaveRequestAsync(id, req.Reason ?? "");
 
             return Success();
@@ -1380,6 +1392,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> CommanderApproveLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.CommanderApproveLeaveRequest(id, req.Reason ?? "");
 
             return Success();
@@ -1400,6 +1418,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> ApproveLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.ApproveLeaveRequest(id, req.Reason ?? "");
 
             return Success();
@@ -1440,6 +1464,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> RejectLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.RejectLeaveRequest(id, req.Reason ?? "");
 
             return Success();