diff --git a/src/main/java/au/com/royalpay/payment/manage/appclient/core/RetailAppService.java b/src/main/java/au/com/royalpay/payment/manage/appclient/core/RetailAppService.java
index b97328977..1779af0b5 100644
--- a/src/main/java/au/com/royalpay/payment/manage/appclient/core/RetailAppService.java
+++ b/src/main/java/au/com/royalpay/payment/manage/appclient/core/RetailAppService.java
@@ -94,7 +94,7 @@ public interface RetailAppService {
 
     void drawDeposits(JSONObject device, BigDecimal draw_amount, String client_id);
 
-    JSONObject getCashbackCleanInfo(JSONObject device);
+    JSONObject getCashbackCleanInfo(JSONObject device,String client_id);
 
     void sendMassageByCode(JSONObject params);
 
diff --git a/src/main/java/au/com/royalpay/payment/manage/appclient/core/impls/RetailAppServiceImp.java b/src/main/java/au/com/royalpay/payment/manage/appclient/core/impls/RetailAppServiceImp.java
index d12236795..a8655bcf2 100644
--- a/src/main/java/au/com/royalpay/payment/manage/appclient/core/impls/RetailAppServiceImp.java
+++ b/src/main/java/au/com/royalpay/payment/manage/appclient/core/impls/RetailAppServiceImp.java
@@ -1050,13 +1050,17 @@ public class RetailAppServiceImp implements RetailAppService {
     }
 
     @Override
-    public JSONObject getCashbackCleanInfo(JSONObject device) {
+    public JSONObject getCashbackCleanInfo(JSONObject device,String client_id) {
         String clientType = device.getString("client_type");
         deviceSupport.findRegister(clientType);
-        JSONObject res = clientManager.getBankAccountByClientId(device.getIntValue("client_id"));
-        JSONObject rate = merchantInfoProvider.clientCurrentRate(device.getIntValue("client_id"), new Date(), "Wechat");
+        JSONArray clientIds = clientManager.getAllClientIds(device.getIntValue("client_id"));
+        if (!clientIds.contains(client_id)) {
+            throw new ForbiddenException("partner has no permission");
+        }
+        JSONObject res = clientManager.getBankAccountByClientId(Integer.parseInt(client_id));
+        JSONObject rate = merchantInfoProvider.clientCurrentRate(Integer.parseInt(client_id), new Date(), "Wechat");
         if (rate.getInteger("clean_days") == null) {
-            JSONObject client = clientManager.getClientInfo(device.getIntValue("client_id"));
+            JSONObject client = clientManager.getClientInfo(Integer.parseInt(client_id));
             rate.put("clean_days", client.getIntValue("clean_days"));
         }
         res.put("clean_days", rate.getIntValue("clean_days"));
diff --git a/src/main/java/au/com/royalpay/payment/manage/appclient/web/RetailAppController.java b/src/main/java/au/com/royalpay/payment/manage/appclient/web/RetailAppController.java
index c7a8932b1..bb679fd4a 100644
--- a/src/main/java/au/com/royalpay/payment/manage/appclient/web/RetailAppController.java
+++ b/src/main/java/au/com/royalpay/payment/manage/appclient/web/RetailAppController.java
@@ -236,8 +236,11 @@ public class RetailAppController {
     }
 
     @RequestMapping(value = "/cash_back/clean_info", method = RequestMethod.GET)
-    public JSONObject getCashbackCleanInfo(@ModelAttribute(CommonConsts.RETAIL_DEVICE) JSONObject device) {
-        return retailAppService.getCashbackCleanInfo(device);
+    public JSONObject getCashbackCleanInfo(@ModelAttribute(CommonConsts.RETAIL_DEVICE) JSONObject device,@RequestParam(value = "client_id",required = false) String client_id) {
+        if (client_id==null){
+            client_id=device.getString("client_id");
+        }
+        return retailAppService.getCashbackCleanInfo(device,client_id);
     }
 
     @RequestMapping(value = "/partner_signin_app_qrcode/{codeId}", method = RequestMethod.GET)