diff --git a/src/clj/auto_ap/graphql.clj b/src/clj/auto_ap/graphql.clj
index 54c608ee..3381af68 100644
--- a/src/clj/auto_ap/graphql.clj
+++ b/src/clj/auto_ap/graphql.clj
@@ -8,6 +8,7 @@
     [buddy.auth :refer [throw-unauthorized]]
     [auto-ap.db.invoices :as invoices]
     [auto-ap.utils :refer [by]]
+    [auto-ap.graphql.utils :refer [assert-admin can-see-company? assert-can-see-company]]
     [auto-ap.db.vendors :as vendors]
     [auto-ap.db.companies :as companies]
     [auto-ap.db.users :as users]
@@ -282,7 +283,6 @@
                             :resolve :mutation/edit-expense-accounts}}})
 
 
-
 (defn snake->kebab [s]
   (str/replace s #"_" "-"))
 
@@ -337,9 +337,6 @@
         :start (:start args 0)
         :end (+ (:start args 0) (count invoices))}] extra-context)))
 
-(defn assert-admin [id]
-  (when-not (= "admin" (:role id))
-    (throw-unauthorized)))
 
 (defn get-all-invoices [context args value]
   (assert-admin (:id context))
@@ -426,9 +423,7 @@
       (map company-cache (:companies value))
       (map companies/get-by-id (:companies value)))))
 
-(defn can-see-company? [identity company]
-  (or (= "admin" (:role identity))
-      ((set (:companies identity)) (:id company))))
+
 
 (defn get-company [context args value]
   (->graphql
@@ -443,7 +438,7 @@
      users)))
 
 (defn get-user [context args value]
-  (assert-admin)
+  (assert-admin (:id context))
 
   (let [
         users (users/get-all)
@@ -458,6 +453,8 @@
    (vendors/get-all)))
 
 (defn print-checks [context args value]
+  
+  (assert-can-see-company (:id context) (:company_id args))
   (->graphql
    (rchecks/print-checks (map (fn [i] {:invoice-id (:invoice_id i)
                                       :amount (:amount i)})
diff --git a/src/clj/auto_ap/graphql/checks.clj b/src/clj/auto_ap/graphql/checks.clj
index 9b1ff900..4cd96bb8 100644
--- a/src/clj/auto_ap/graphql/checks.clj
+++ b/src/clj/auto_ap/graphql/checks.clj
@@ -1,5 +1,5 @@
 (ns auto-ap.graphql.checks
-  (:require [auto-ap.graphql.utils :refer [->graphql <-graphql]]
+  (:require [auto-ap.graphql.utils :refer [->graphql <-graphql assert-can-see-company]]
 
             [com.walmartlabs.lacinia :refer [execute]]
             [com.walmartlabs.lacinia.executor :as executor]
@@ -44,6 +44,7 @@
 
 (defn add-handwritten-check [context args value]
   (let [invoice (invoices/get-by-id (:invoice_id args))
+        _ (assert-can-see-company  (:id context) (:company-id invoice))
         check (checks/insert! {:s3-uuid nil
                                :s3-key nil 
                                :s3-url nil
diff --git a/src/clj/auto_ap/graphql/invoices.clj b/src/clj/auto_ap/graphql/invoices.clj
index 7b3330fe..aa6f9a1d 100644
--- a/src/clj/auto_ap/graphql/invoices.clj
+++ b/src/clj/auto_ap/graphql/invoices.clj
@@ -1,5 +1,5 @@
 (ns auto-ap.graphql.invoices
-  (:require [auto-ap.graphql.utils :refer [->graphql]]
+  (:require [auto-ap.graphql.utils :refer [->graphql assert-can-see-company]]
             [auto-ap.db.invoices :as invoices]
             [auto-ap.db.vendors :as vendors]
             [auto-ap.db.companies :as companies]
@@ -13,6 +13,7 @@
 
 (defn add-invoice [context {{:keys [total invoice_number company_id vendor_id vendor_name date] :as in} :invoice} value]
   (let [vendor (-create-or-get-vendor vendor_id vendor_name)
+        _ (assert-can-see-company (:id context) company_id)
         company (companies/get-by-id company_id)
 
         [invoice] (invoices/insert-multi! [{:invoice-number invoice_number
@@ -37,6 +38,7 @@
    (invoices-expense-accounts/get-for-invoice (:id value))))
 
 (defn edit-expense-accounts [context args value]
+  (assert-can-see-company (:id context) (:company-id (invoices/get-by-id (:invoice_id args))))
   (invoices-expense-accounts/replace-for-invoice (:invoice_id args) (map (fn [{:keys [id expense_account_id amount location]}]
                                                                            {
                                                                             :expense-account-id expense_account_id
diff --git a/src/clj/auto_ap/graphql/users.clj b/src/clj/auto_ap/graphql/users.clj
index 2030af47..7a2b12a5 100644
--- a/src/clj/auto_ap/graphql/users.clj
+++ b/src/clj/auto_ap/graphql/users.clj
@@ -1,8 +1,9 @@
 (ns auto-ap.graphql.users
   (:require [auto-ap.db.users :as users]
-            [auto-ap.graphql.utils :refer [->graphql]])) 
+            [auto-ap.graphql.utils :refer [->graphql assert-admin]])) 
 
 (defn edit-user [context args value]
+  (assert-admin (:id context))
   (users/update! (:edit_user args))
   (->graphql
    (users/get-by-id (:id (:edit_user args)))))
diff --git a/src/clj/auto_ap/graphql/utils.clj b/src/clj/auto_ap/graphql/utils.clj
index a29b0ae9..ea0e95a4 100644
--- a/src/clj/auto_ap/graphql/utils.clj
+++ b/src/clj/auto_ap/graphql/utils.clj
@@ -1,5 +1,6 @@
 (ns auto-ap.graphql.utils
   (:require [clojure.string :as str]
+            [buddy.auth :refer [throw-unauthorized]]
             [clojure.walk :as walk]))
 
 
@@ -38,3 +39,16 @@
         :else
         node))
     m))
+
+
+(defn assert-admin [id]
+  (when-not (= "admin" (:role id))
+    (throw-unauthorized)))
+
+(defn can-see-company? [identity company]
+  (or (= "admin" (:role identity))
+      ((set (:companies identity)) (:id company))))
+
+(defn assert-can-see-company [identity company]
+  (when-not (can-see-company? identity company)
+    (throw-unauthorized)))