1 files changed, 10 insertions, 3 deletions

diff --git a/indoteknik_api/controllers/api_v1/sale_order.py b/indoteknik_api/controllers/api_v1/sale_order.py
index a9113ada..0da7f894 100644
--- a/indoteknik_api/controllers/api_v1/sale_order.py
+++ b/indoteknik_api/controllers/api_v1/sale_order.py
@@ -643,20 +643,26 @@ class SaleOrder(controller.Controller):
 
         # Get the partner associated with the sale order
         partner = sale_order.partner_id
+        company_id = partner.company_id.id
 
-        # Check if the email matches the partner's email
-        if partner.email != email_user:
+        # Search for all partners within the same company
+        partners_in_company = request.env['res.partner'].search([('company_id', '=', company_id)])
+
+        # Check if the email matches any partner's email in the same company
+        email_match = partners_in_company.filtered(lambda p: p.email == email_user)
+        if not email_match:
             return self.response({
                 'code': 403,
                 'so': so,
                 'email': email_user,
-                'description': "Email does not match the Sale Order."
+                'description': "Email does not match any partner in the same company as the Sale Order."
             })
 
         # Check for partner child ids if needed
         partner_child_ids = self.get_partner_child_ids(partner.id)
         if sale_order.partner_id.id not in partner_child_ids:
             return self.response({
+                'code': 403,
                 'so': so,
                 'email': email_user,
                 'description': "Unauthorized access to Sale Order details."
@@ -666,3 +672,4 @@ class SaleOrder(controller.Controller):
         data = request.env['sale.order'].api_v1_single_response(sale_order, context='with_detail')
 
         return self.response(data)
+