diff --git a/Marco.Pms.Services/Service/ExpensesService.cs b/Marco.Pms.Services/Service/ExpensesService.cs
index 32dc911..09b9e6e 100644
--- a/Marco.Pms.Services/Service/ExpensesService.cs
+++ b/Marco.Pms.Services/Service/ExpensesService.cs
@@ -1641,6 +1641,16 @@ namespace Marco.Pms.Services.Service
 
             try
             {
+                using var scope = _serviceScopeFactory.CreateScope();
+                var permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
+                var hasUploadPermission = await permissionService.HasPermission(PermissionsMaster.ExpenseUpload, loggedInEmployee.Id);
+
+                if (!hasUploadPermission)
+                {
+                    _logger.LogWarning("Access DENIED: Employee {EmployeeId} has no permission to create payment requests.", loggedInEmployee.Id);
+                    return ApiResponse<object>.ErrorResponse("Access Denied", "You do not have permission to create any payment request.", 409);
+                }
+
                 // Execute database lookups concurrently
                 var expenseCategoryTask = Task.Run(async () =>
                 {