fix

src/main/java/au/com/royalpay/payment/manage/organizations/core/impls/OrgManagerImpl.java

@@ -155,6 +155,13 @@ public class OrgManagerImpl implements OrgManager {
             if(params.getString("org_id2") == null){
                 orgIds(params,manager);
             }else {
+                if (manager.getInteger("org_id")!=null){
+                    List<JSONObject> orgs = orgMapper.listOrgAndChild(manager.getIntValue("org_id"));
+                    List<Integer> orgIds = orgs.stream().map(org->org.getIntValue("org_id")).collect(Collectors.toList());
+                    if (!orgIds.contains(params.getString("org_id2"))){
+                        throw new ForbiddenException("You have no permission to query the org");
+                    }
+                }
                 params.put("org_id",params.getString("org_id2"));
                 params.remove("org_id2");
             }
@@ -170,6 +177,13 @@ public class OrgManagerImpl implements OrgManager {
                     }
                 }
             }else {
+                if (manager.getInteger("org_id")!=null){
+                    List<JSONObject> orgs = orgMapper.listOrgAndChild(manager.getIntValue("org_id"));
+                    List<Integer> orgIds = orgs.stream().map(org->org.getIntValue("org_id")).collect(Collectors.toList());
+                    if (!orgIds.contains(params.getString("org_id2"))){
+                        throw new ForbiddenException("You have no permission to query the org");
+                    }
+                }
                 params.put("org_id",params.getString("org_id2"));
                 params.remove("org_id2");
             }