diff --git a/app/app/(admin)/components/users-table.tsx b/app/app/(admin)/components/users-table.tsx
index 31185b25a..06971bbd5 100644
--- a/app/app/(admin)/components/users-table.tsx
+++ b/app/app/(admin)/components/users-table.tsx
@@ -46,7 +46,7 @@ function UserTableSearchInput({ users, setUsers, setLoading }: UserInterface) {
     setLoading(true);
     const fetchUsers = async () => {
       try {
-        const url = new URL("/api/admin/users/", "http://localhost:3000");
+        const url = new URL("/api/admin/users/", window.location.href);
         url.searchParams.append("search", searchText);
         console.log(url, "url");
         const response = await fetch(url);
diff --git a/middleware.ts b/middleware.ts
index 1db069faf..6a1e5bc28 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -1,7 +1,7 @@
 import { NextResponse } from "next/server";
 import type { NextRequest } from "next/server";
 import { getToken } from "next-auth/jwt";
-import { DENY_LIST, isName } from "@/lib/auth_list";
+import { DENY_LIST, isName, ADMIN_LIST } from "@/lib/auth_list";
 
 export default async function middleware(req: NextRequest) {
     const url = req.nextUrl;
@@ -16,6 +16,18 @@ export default async function middleware(req: NextRequest) {
 
     const session = await getToken({ req });
 
+    // 管理员页面的api接口还是要认证的
+    if (path.startsWith('/api/admin/')) {
+        let is_admin_user = false;
+        // 需要确认是管理员
+        if (session && session?.user) {
+            if (ADMIN_LIST.includes(session?.name ?? "")) {
+                is_admin_user = true
+            }
+        }
+        if (!is_admin_user) return NextResponse.json({error: '无管理员授权'}, { status: 401 });
+
+    }
     // console.log('==============,认证，', path, session)
     // 认证有点多此一举，页面中的认证应该已经够了
     // if (!session && path !== "/login") {