1 files changed, 2 insertions, 12 deletions

diff --git a/indoteknik_api/controllers/api_v1/invoice.py b/indoteknik_api/controllers/api_v1/invoice.py
index 59cacfc4..4937e8dd 100644
--- a/indoteknik_api/controllers/api_v1/invoice.py
+++ b/indoteknik_api/controllers/api_v1/invoice.py
@@ -8,11 +8,8 @@ class Invoice(controller.Controller):
     PREFIX_PARTNER = PREFIX + 'partner/<partner_id>/'
 
     @http.route(PREFIX_PARTNER + 'invoice', auth='public', method=['GET', 'OPTIONS'])
+    @controller.Controller.must_authorized(private=True, private_key='partner_id')
     def get_partner_invoice(self, **kw):
-        user_token = self.authenticate() 
-        if not user_token:
-            return self.unauthorized_response()
-
         params = self.get_request_params(kw, {
             'partner_id': ['number'],
             'name': [],
@@ -21,8 +18,6 @@ class Invoice(controller.Controller):
         })
         limit = params['value']['limit']
         offset = params['value']['offset']
-        if not user_token['partner_id'] == params['value']['partner_id']:
-            return self.unauthorized_response()
         if not params['valid']:
             return self.response(code=400, description=params) 
 
@@ -47,17 +42,12 @@ class Invoice(controller.Controller):
         return self.response(data)
 
     @http.route(PREFIX_PARTNER + 'invoice/<id>', auth='public', method=['GET', 'OPTIONS'])
+    @controller.Controller.must_authorized(private=True, private_key='partner_id')
     def get_partner_invoice_by_id(self, **kw):
-        user_token = self.authenticate() 
-        if not user_token:
-            return self.unauthorized_response()
-
         params = self.get_request_params(kw, {
             'partner_id': ['number'],
             'id': ['number']
         })
-        if not user_token['partner_id'] == params['value']['partner_id']:
-            return self.unauthorized_response()
         if not params['valid']:
             return self.response(code=400, description=params)