diff --git a/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java b/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java index 008a48d03..a0051133a 100644 --- a/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java +++ b/src/main/java/au/com/royalpay/payment/manage/merchants/core/impls/ClientManagerImpl.java @@ -214,7 +214,7 @@ public class ClientManagerImpl implements ClientManager, ManagerTodoNoticeProvid if (client == null) { throw new InvalidShortIdException(); } - checkOrgPermission(manager, client); + checkClientOrg(manager, client); client.put("show_all_permission", true); int role = manager != null ? manager.getIntValue("role") : 0; if (manager != null) { @@ -274,6 +274,19 @@ public class ClientManagerImpl implements ClientManager, ManagerTodoNoticeProvid return client; } + private void checkClientOrg(JSONObject manager, JSONObject client) { + if (manager.getInteger("org_id")!=null){ + JSONObject org = orgMapper.findOne(client.getIntValue("org_id")); + if (org.getInteger("parent_org_id")!=null){ + if (org.getIntValue("parent_org_id")!=manager.getIntValue("org_id")){ + throw new ForbiddenException("The org of client is not belong to you"); + } + }else { + checkOrgPermission(manager, client); + } + } + } + @Override public JSONObject getClientDetailById(int clientId) { JSONObject client = getClientInfo(clientId); @@ -1388,7 +1401,7 @@ public class ClientManagerImpl implements ClientManager, ManagerTodoNoticeProvid if (client == null) { throw new InvalidShortIdException(); } - checkOrgPermission(manager, client); + checkClientOrg(manager,client); JSONObject params = new JSONObject(); params.put("client_id", client.getIntValue("client_id")); params.put("is_valid", "1");