From 63f6832d5e466873c5aa49db2c77818ae48426ee Mon Sep 17 00:00:00 2001 From: "eason.qian" Date: Wed, 10 Jan 2018 17:06:32 +0800 Subject: [PATCH] fix --- .../merchants/core/impls/ClientManagerImpl.java | 12 +++++------- .../signin/core/impls/ManagerAccountServiceImpl.java | 9 +++++++-- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java b/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java index 2899bf6ba..dacf64869 100644 --- a/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java +++ b/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java @@ -83,6 +83,7 @@ import java.net.URL; import java.util.*; import java.util.List; import java.util.concurrent.TimeUnit; +import java.util.stream.Collectors; import java.util.zip.ZipEntry; import java.util.zip.ZipOutputStream; @@ -278,13 +279,10 @@ public class ClientManagerImpl implements ClientManager, ManagerTodoNoticeProvid private void checkClientOrg(JSONObject manager, JSONObject client) { if (manager.getInteger("org_id")!=null){ - JSONObject org = orgMapper.findOne(client.getIntValue("org_id")); - if (org.getInteger("parent_org_id")!=null){ - if (org.getIntValue("org_id")!=manager.getIntValue("org_id")){ - throw new ForbiddenException("The org of client is not belong to you"); - } - }else { - checkOrgPermission(manager, client); + List orgs = orgMapper.listOrgAndChild(manager.getIntValue("org_id")); + List orgIds = orgs.stream().map(org->org.getIntValue("org_id")).collect(Collectors.toList()); + if (!orgIds.contains(client.getIntValue("org_id"))){ + throw new ForbiddenException("The org of client is not belong to you"); } } } diff --git a/src/main/java/au/com/royalpay/payment/manage/signin/core/impls/ManagerAccountServiceImpl.java b/src/main/java/au/com/royalpay/payment/manage/signin/core/impls/ManagerAccountServiceImpl.java index db4a24622..4ae1b33cf 100644 --- a/src/main/java/au/com/royalpay/payment/manage/signin/core/impls/ManagerAccountServiceImpl.java +++ b/src/main/java/au/com/royalpay/payment/manage/signin/core/impls/ManagerAccountServiceImpl.java @@ -15,6 +15,7 @@ import org.springframework.stereotype.Service; import javax.annotation.Resource; import java.util.List; +import java.util.stream.Collectors; /** * Created by yixian on 2016-07-06. @@ -78,8 +79,12 @@ public class ManagerAccountServiceImpl implements ManagerAccountsService { } JSONObject obj = manager.accountJson(false); if (!ManagerRole.ADMIN.hasRole(loginManager.getIntValue("role"))) { - if (managerFromDb.getIntValue("org_id") != loginManager.getIntValue("org_id")) { - throw new BadRequestException("You cannot modify accounts belong to other organizations"); + if (loginManager.getInteger("org_id")!=null){ + List orgs = orgMapper.listOrgAndChild(loginManager.getIntValue("org_id")); + List orgIds = orgs.stream().map(org->org.getIntValue("org_id")).collect(Collectors.toList()); + if (!orgIds.contains(managerFromDb.getIntValue("org_id"))){ + throw new BadRequestException("You cannot modify accounts belong to other organizations"); + } } if (manager.isAdmin() || manager.isFinacial() || manager.isOperator() || manager.isServant() || manager.isSitemanager() || manager.isDeveloper()) { throw new BadRequestException("Invalid Role");