diff --git a/svc/queries/account.go b/svc/queries/account.go
index a0ac4d8..1c7b94e 100644
--- a/svc/queries/account.go
+++ b/svc/queries/account.go
@@ -13,12 +13,25 @@ import (
 
 func GetAccounts(ctx context.Context) ([]models.Account, error) {
 
-	piyasaFilter := authz.BuildMSSQLPiyasaFilter(ctx, "f2.CustomerAtt01")
+	piyasaCodes := authz.GetPiyasaCodesFromCtx(ctx)
 
-	if strings.TrimSpace(piyasaFilter) == "" {
-		piyasaFilter = "1=1"
+	// 🔴 HİÇ YETKİ YOKSA → HİÇ DATA VERME
+	if len(piyasaCodes) == 0 {
+		log.Println("⚠️ No piyasa permission → empty account list")
+		return []models.Account{}, nil
 	}
 
+	// ✅ Güvenli filter üret
+	quoted := make([]string, 0, len(piyasaCodes))
+	for _, p := range piyasaCodes {
+		quoted = append(quoted, "'"+p+"'")
+	}
+
+	piyasaFilter := fmt.Sprintf(
+		"f2.CustomerAtt01 IN (%s)",
+		strings.Join(quoted, ","),
+	)
+
 	query := fmt.Sprintf(`
     SELECT
         x.AccountCode,
@@ -38,8 +51,7 @@ func GetAccounts(ctx context.Context) ([]models.Account, error) {
     ORDER BY x.AccountCode
 `, piyasaFilter)
 
-	log.Println("🔎 ACCOUNT PIYASA FILTER =", piyasaFilter)
-	log.Println("🔎 ACCOUNT QUERY =", query)
+	log.Println("🔎 ACCOUNT FILTER =", piyasaFilter)
 
 	rows, err := db.MssqlDB.Query(query)
 	if err != nil {