fix

src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java

@@ -214,7 +214,7 @@ public class ClientManagerImpl implements ClientManager, ManagerTodoNoticeProvid
         if (client == null) {
             throw new InvalidShortIdException();
         }
-        checkOrgPermission(manager, client);
+        checkClientOrg(manager, client);
         client.put("show_all_permission", true);
         int role = manager != null ? manager.getIntValue("role") : 0;
         if (manager != null) {
@@ -274,6 +274,19 @@ public class ClientManagerImpl implements ClientManager, ManagerTodoNoticeProvid
         return client;
     }
 
+    private void checkClientOrg(JSONObject manager, JSONObject client) {
+        if (manager.getInteger("org_id")!=null){
+            JSONObject org = orgMapper.findOne(client.getIntValue("org_id"));
+            if (org.getInteger("parent_org_id")!=null){
+                if (org.getIntValue("parent_org_id")!=manager.getIntValue("org_id")){
+                    throw new ForbiddenException("The org of client is not belong to you");
+                }
+            }else {
+                checkOrgPermission(manager, client);
+            }
+        }
+    }
+
     @Override
     public JSONObject getClientDetailById(int clientId) {
         JSONObject client = getClientInfo(clientId);
@@ -1388,7 +1401,7 @@ public class ClientManagerImpl implements ClientManager, ManagerTodoNoticeProvid
         if (client == null) {
             throw new InvalidShortIdException();
         }
-        checkOrgPermission(manager, client);
+        checkClientOrg(manager,client);
         JSONObject params = new JSONObject();
         params.put("client_id", client.getIntValue("client_id"));
         params.put("is_valid", "1");