diff --git a/src/main/java/au/com/royalpay/payment/manage/merchants/web/PartnerViewController.java b/src/main/java/au/com/royalpay/payment/manage/merchants/web/PartnerViewController.java
index 2953de97c..7d04cc0f2 100644
--- a/src/main/java/au/com/royalpay/payment/manage/merchants/web/PartnerViewController.java
+++ b/src/main/java/au/com/royalpay/payment/manage/merchants/web/PartnerViewController.java
@@ -11,6 +11,7 @@ import au.com.royalpay.payment.manage.merchants.beans.NewAccountBean;
 import au.com.royalpay.payment.manage.merchants.core.ClientManager;
 import au.com.royalpay.payment.manage.merchants.core.ClientSignEventSupport;
 import au.com.royalpay.payment.manage.permission.manager.PartnerMapping;
+import au.com.royalpay.payment.manage.permission.manager.RequireManager;
 import au.com.royalpay.payment.manage.permission.manager.RequirePartner;
 import au.com.royalpay.payment.manage.pos.datasource.ReadOnlyConnection;
 import au.com.royalpay.payment.manage.signin.core.SignInAccountService;
@@ -25,6 +26,7 @@ import au.com.royalpay.payment.tools.exceptions.BadRequestException;
 import au.com.royalpay.payment.tools.exceptions.ForbiddenException;
 import au.com.royalpay.payment.tools.http.HttpUtils;
 import au.com.royalpay.payment.tools.merchants.beans.QRCodeConfig;
+import au.com.royalpay.payment.tools.permission.enums.ManagerRole;
 import au.com.royalpay.payment.tools.permission.enums.PartnerRole;
 import au.com.royalpay.payment.tools.permission.wechat.WechatMapping;
 import com.alibaba.fastjson.JSONObject;
@@ -683,8 +685,11 @@ public class PartnerViewController {
     }
     @PartnerMapping(value = "/cancel_order", method = RequestMethod.POST)
     @ResponseBody
+    @RequireManager(role = {ManagerRole.ADMIN, ManagerRole.OPERATOR, ManagerRole.FINANCIAL_STAFF, ManagerRole.SERVANT})
+    @RequirePartner
     public JSONObject cancel(@ModelAttribute(CommonConsts.PARTNER_STATUS) JSONObject account, @RequestBody JSONObject order, Errors errors) {
         System.out.println("=====>cancel_order");
-        return cancelOrderService.cancelOrderOrNot(order.getString("orderId"));
+        //暂时未给运营端使用，仅商户端使用
+        return cancelOrderService.cancelOrderOrNot(order.getString("orderId"),account.getIntValue("client_id"));
     }
 }