fix

7 years ago · 63f6832d5e
parent 575f0b7725
commit 63f6832d5e
2 changed files with 12 additions and 9 deletions
--- a/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java
+++ b/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java
@ -83,6 +83,7 @@ import java.net.URL;
 import java.util.*;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipOutputStream;

@ -278,14 +279,11 @@ public class ClientManagerImpl implements ClientManager, ManagerTodoNoticeProvid

    private void checkClientOrg(JSONObject manager, JSONObject client) {
        if (manager.getInteger("org_id")!=null){
-            JSONObject org = orgMapper.findOne(client.getIntValue("org_id"));
-            if (org.getInteger("parent_org_id")!=null){
-                if (org.getIntValue("org_id")!=manager.getIntValue("org_id")){
+            List<JSONObject> orgs = orgMapper.listOrgAndChild(manager.getIntValue("org_id"));
+            List<Integer> orgIds = orgs.stream().map(org->org.getIntValue("org_id")).collect(Collectors.toList());
+            if (!orgIds.contains(client.getIntValue("org_id"))){
                throw new ForbiddenException("The org of client is not belong to you");
            }
-            }else {
-                checkOrgPermission(manager, client);
-            }
        }
    }

--- a/src/main/java/au/com/royalpay/payment/manage/signin/core/impls/ManagerAccountServiceImpl.java
+++ b/src/main/java/au/com/royalpay/payment/manage/signin/core/impls/ManagerAccountServiceImpl.java
@ -15,6 +15,7 @@ import org.springframework.stereotype.Service;

 import javax.annotation.Resource;
 import java.util.List;
+import java.util.stream.Collectors;

 /**
 * Created by yixian on 2016-07-06.
@ -78,9 +79,13 @@ public class ManagerAccountServiceImpl implements ManagerAccountsService {
        }
        JSONObject obj = manager.accountJson(false);
        if (!ManagerRole.ADMIN.hasRole(loginManager.getIntValue("role"))) {
-            if (managerFromDb.getIntValue("org_id") != loginManager.getIntValue("org_id")) {
+            if (loginManager.getInteger("org_id")!=null){
+                List<JSONObject> orgs = orgMapper.listOrgAndChild(loginManager.getIntValue("org_id"));
+                List<Integer> orgIds = orgs.stream().map(org->org.getIntValue("org_id")).collect(Collectors.toList());
+                if (!orgIds.contains(managerFromDb.getIntValue("org_id"))){
                    throw new BadRequestException("You cannot modify accounts belong to other organizations");
                }
+            }
            if (manager.isAdmin() || manager.isFinacial() || manager.isOperator() || manager.isServant() || manager.isSitemanager() || manager.isDeveloper()) {
                throw new BadRequestException("Invalid Role");
            }