From 7ae067e369a5d9bf4299c72eaae5074405c6a265 Mon Sep 17 00:00:00 2001
From: DacongDA <dacongda1@sina.com>
Date: Wed, 16 Oct 2024 00:02:04 +0800
Subject: [PATCH] feat: only admin can specify user in BuyProduct() (#3287)

* fix: balance can be used without login

* fix: balance can be used without login

* fix: fix bug

* fix: fix bug
---
 controllers/product.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/controllers/product.go b/controllers/product.go
index d034e294..add6dcfd 100644
--- a/controllers/product.go
+++ b/controllers/product.go
@@ -182,6 +182,10 @@ func (c *ApiController) BuyProduct() {
 	paidUserName := c.Input().Get("userName")
 	owner, _ := util.GetOwnerAndNameFromId(id)
 	userId := util.GetId(owner, paidUserName)
+	if paidUserName != "" && !c.IsAdmin() {
+		c.ResponseError(c.T("general:Only admin user can specify user"))
+		return
+	}
 	if paidUserName == "" {
 		userId = c.GetSessionUsername()
 	}