diff --git a/dasettings/views.py b/dasettings/views.py
index 3c14ea7..b583af6 100644
--- a/dasettings/views.py
+++ b/dasettings/views.py
@@ -287,7 +287,6 @@ def GetBill(request, pk):
 		'fileid' : json.loads(r.text)["documentFileId"]
 	}
 	
-
 	return render(request, 'dasettings/bill_single.html', context)
 
 import io as BytesIO
@@ -296,30 +295,36 @@ from django.http import HttpResponse
 
 @login_required
 def GetBillPDF(request, pk):
+	bill = AgencyBills.objects.get(pk=pk)
+	# Sicherheitscheck, ob der angefragte User zur Agentur gehört und das Recht hat, Agenturinfos zu bearbeiten
+	if bill.agency == request.user.profile.agency and request.user.has_perm("users.agencyinfo"):
+		headers = {
+			'Authorization': 'Bearer ' + settings.LEX_API,
+			'Content-Type': 'application/json',
+			'Accept': 'application/json',
+		}
+
+		lexdata = {
+			"renderType" : "pdf"		
+		}
+		json_data = json.dumps(lexdata)	
+
+		r =	requests.get("https://api.lexoffice.io/v1/invoices/"+bill.lexid+"/document", data=json_data, headers=headers)
+		json.loads(r.text)
+		
+		base64String = requests.get("https://api.lexoffice.io/v1/files/"+json.loads(r.text)["documentFileId"]+"/", data=json_data, headers=headers)
+
+		buffer = BytesIO.BytesIO()
+		content = base64.b64decode(base64String.text)
+		buffer.write(content)
+
+		response = HttpResponse(buffer.getvalue(),content_type="application/pdf")
+		response['Content-Disposition'] = 'inline;filename=some_file.pdf'
+		return response
+	else:
+		messages.warning(request, f'Diese Daten sind für Sie nicht einsehbar.')
+		return redirect("dasettings")
 	
-	headers = {
-		'Authorization': 'Bearer ' + settings.LEX_API,
-		'Content-Type': 'application/json',
-		'Accept': 'application/json',
-	}
-
-	lexdata = {
-		"renderType" : "pdf"		
-	}
-	json_data = json.dumps(lexdata)	
-
-	r =	requests.get("https://api.lexoffice.io/v1/invoices/"+AgencyBills.objects.get(pk=pk).lexid+"/document", data=json_data, headers=headers)
-	json.loads(r.text)
-	
-	base64String = requests.get("https://api.lexoffice.io/v1/files/"+json.loads(r.text)["documentFileId"]+"/", data=json_data, headers=headers)
-
-	buffer = BytesIO.BytesIO()
-	content = base64.b64decode(base64String.text)
-	buffer.write(content)
-
-	response = HttpResponse(buffer.getvalue(),content_type="application/pdf")
-	response['Content-Disposition'] = 'inline;filename=some_file.pdf'
-	return response
 
 
 '''