diff --git a/aleksis/apps/tezor/templates/tezor/invoice/full.html b/aleksis/apps/tezor/templates/tezor/invoice/full.html
index 16cc9ad74654cf2174e5002bb6f32c4939f1b11b..31be9f5afd37e482b5cf39cc79920081cb1c3195 100644
--- a/aleksis/apps/tezor/templates/tezor/invoice/full.html
+++ b/aleksis/apps/tezor/templates/tezor/invoice/full.html
@@ -14,6 +14,7 @@
     {% has_perm 'tezor.print_invoice_rule' user object as can_print_invoice %}
     {% has_perm 'tezor.send_invoice_email_rule' user object as can_send_invoice_email %}
     {% has_perm 'tezor.change_payment_variant' user object as can_change_variant %}
+    {% has_perm 'tezor.mark_paid_rule' user object as can_mark_as_paid %}
 
     <h1>{% trans "Invoice" %} {{ object.number }} — {{ object.created.date }}</h1>
 
@@ -106,7 +107,7 @@
               </button>
             </div>
             {% endif %}
-            {% if object.status == "preauth" %}
+            {% if object.status == "preauth" and can_mark_as_paid %}
             <div class="card-action">
               <a class="btn waves-effect waves-light green" href="{% url 'mark_invoice_paid_by_token' object.token %}">
                 <i class="material-icons left iconify" data-icon="mdi:check-all"></i>