From 4dd5b278a5a31f05726a4d4e2149d3eadb042ccf Mon Sep 17 00:00:00 2001 From: "eason.qian" Date: Thu, 18 Jan 2018 18:23:34 +0800 Subject: [PATCH] fix --- .../organizations/core/impls/OrgManagerImpl.java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/main/java/au/com/royalpay/payment/manage/organizations/core/impls/OrgManagerImpl.java b/src/main/java/au/com/royalpay/payment/manage/organizations/core/impls/OrgManagerImpl.java index dc9445697..233d69e1a 100644 --- a/src/main/java/au/com/royalpay/payment/manage/organizations/core/impls/OrgManagerImpl.java +++ b/src/main/java/au/com/royalpay/payment/manage/organizations/core/impls/OrgManagerImpl.java @@ -155,6 +155,13 @@ public class OrgManagerImpl implements OrgManager { if(params.getString("org_id2") == null){ orgIds(params,manager); }else { + if (manager.getInteger("org_id")!=null){ + List orgs = orgMapper.listOrgAndChild(manager.getIntValue("org_id")); + List orgIds = orgs.stream().map(org->org.getIntValue("org_id")).collect(Collectors.toList()); + if (!orgIds.contains(params.getString("org_id2"))){ + throw new ForbiddenException("You have no permission to query the org"); + } + } params.put("org_id",params.getString("org_id2")); params.remove("org_id2"); } @@ -170,6 +177,13 @@ public class OrgManagerImpl implements OrgManager { } } }else { + if (manager.getInteger("org_id")!=null){ + List orgs = orgMapper.listOrgAndChild(manager.getIntValue("org_id")); + List orgIds = orgs.stream().map(org->org.getIntValue("org_id")).collect(Collectors.toList()); + if (!orgIds.contains(params.getString("org_id2"))){ + throw new ForbiddenException("You have no permission to query the org"); + } + } params.put("org_id",params.getString("org_id2")); params.remove("org_id2"); }