diff --git a/api/core/types/web.go b/api/core/types/web.go
index 9d0413c5..a59ed6d8 100644
--- a/api/core/types/web.go
+++ b/api/core/types/web.go
@@ -31,8 +31,9 @@ const (
 	Failed        = BizCode(1)
 	NotAuthorized = BizCode(400) // 未授权
 
-	OkMsg       = "Success"
-	ErrorMsg    = "系统开小差了"
-	InvalidArgs = "非法参数或参数解析失败"
-	NoData      = "No Data"
+	OkMsg        = "Success"
+	ErrorMsg     = "系统开小差了"
+	InvalidArgs  = "非法参数或参数解析失败"
+	NoData       = "No Data"
+	NoPermission = "没有权限"
 )
diff --git a/api/handler/admin/admin_permission_handler.go b/api/handler/admin/admin_permission_handler.go
index ad3bf724..0e26d90d 100644
--- a/api/handler/admin/admin_permission_handler.go
+++ b/api/handler/admin/admin_permission_handler.go
@@ -25,6 +25,11 @@ func NewSysPermissionHandler(app *core.AppServer, db *gorm.DB) *SysPermissionHan
 }
 
 func (h *SysPermissionHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	var items []model.AdminPermission
 	var data = make([]vo.AdminPermission, 0)
 	res := h.db.Find(&items)
diff --git a/api/handler/admin/admin_role_handler.go b/api/handler/admin/admin_role_handler.go
index 9d7605a8..0d0758b0 100644
--- a/api/handler/admin/admin_role_handler.go
+++ b/api/handler/admin/admin_role_handler.go
@@ -26,12 +26,31 @@ func NewSysRoleHandler(app *core.AppServer, db *gorm.DB) *SysRoleHandler {
 type permission struct {
 	Id   int    `json:"id"`
 	Name string `json:"name"`
+	Slug string `json:"slug"`
 }
 
 func (h *SysRoleHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
+	page := h.GetInt(c, "page", 1)
+	pageSize := h.GetInt(c, "page_size", 20)
+	name := h.GetTrim(c, "name")
+
+	offset := (page - 1) * pageSize
 	var items []model.AdminRole
 	var data = make([]vo.AdminRole, 0)
-	res := h.db.Find(&items)
+	var total int64
+
+	session := h.db.Session(&gorm.Session{})
+	if name != "" {
+		session = session.Where("name LIKE ?", "%"+name+"%")
+	}
+
+	session.Model(&model.AdminRole{}).Count(&total)
+	res := session.Offset(offset).Limit(pageSize).Find(&items)
 	if res.Error != nil {
 		resp.ERROR(c, "暂无数据")
 		return
@@ -41,16 +60,18 @@ func (h *SysRoleHandler) List(c *gin.Context) {
 		err := utils.CopyObject(item, &adminRoleVo)
 		if err == nil {
 			var permissions []permission
-			h.db.Raw("SELECT p.id,p.name "+
+			h.db.Raw("SELECT p.id,p.name,p.slug "+
 				"FROM chatgpt_admin_role_permissions as rp "+
 				"LEFT JOIN chatgpt_admin_permissions as p ON rp.permission_id = p.id "+
 				"WHERE rp.role_id = ?", item.Id).Scan(&permissions)
+
 			adminRoleVo.Permissions = permissions
 			adminRoleVo.CreatedAt = item.CreatedAt.Format("2006-01-02 15:04:05")
 			data = append(data, adminRoleVo)
 		}
 	}
-	resp.SUCCESS(c, data)
+	pageVo := vo.NewPage(total, page, pageSize, data)
+	resp.SUCCESS(c, pageVo)
 }
 
 func (h *SysRoleHandler) Save(c *gin.Context) {
diff --git a/api/handler/admin/admin_user_handler.go b/api/handler/admin/admin_user_handler.go
index 2a50c203..a999c4a3 100644
--- a/api/handler/admin/admin_user_handler.go
+++ b/api/handler/admin/admin_user_handler.go
@@ -30,6 +30,11 @@ type role struct {
 
 // List 用户列表
 func (h *SysUserHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	page := h.GetInt(c, "page", 1)
 	pageSize := h.GetInt(c, "page_size", 20)
 	username := h.GetTrim(c, "username")
diff --git a/api/handler/admin/api_key_handler.go b/api/handler/admin/api_key_handler.go
index e4b65d2d..9197dd26 100644
--- a/api/handler/admin/api_key_handler.go
+++ b/api/handler/admin/api_key_handler.go
@@ -68,6 +68,11 @@ func (h *ApiKeyHandler) Save(c *gin.Context) {
 }
 
 func (h *ApiKeyHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	var items []model.ApiKey
 	var keys = make([]vo.ApiKey, 0)
 	res := h.db.Find(&items)
diff --git a/api/handler/admin/chat_handler.go b/api/handler/admin/chat_handler.go
index 2f931e62..569f7852 100644
--- a/api/handler/admin/chat_handler.go
+++ b/api/handler/admin/chat_handler.go
@@ -35,6 +35,11 @@ type chatItemVo struct {
 }
 
 func (h *ChatHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	var data struct {
 		Title    string   `json:"title"`
 		UserId   uint     `json:"user_id"`
diff --git a/api/handler/admin/chat_model_handler.go b/api/handler/admin/chat_model_handler.go
index 1fb9fdc7..2b781a87 100644
--- a/api/handler/admin/chat_model_handler.go
+++ b/api/handler/admin/chat_model_handler.go
@@ -72,6 +72,11 @@ func (h *ChatModelHandler) Save(c *gin.Context) {
 
 // List 模型列表
 func (h *ChatModelHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	session := h.db.Session(&gorm.Session{})
 	enable := h.GetBool(c, "enable")
 	if enable {
diff --git a/api/handler/admin/chat_role_handler.go b/api/handler/admin/chat_role_handler.go
index 233d8434..b43eb210 100644
--- a/api/handler/admin/chat_role_handler.go
+++ b/api/handler/admin/chat_role_handler.go
@@ -53,6 +53,11 @@ func (h *ChatRoleHandler) Save(c *gin.Context) {
 }
 
 func (h *ChatRoleHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	var items []model.ChatRole
 	var roles = make([]vo.ChatRole, 0)
 	res := h.db.Order("sort_num ASC").Find(&items)
diff --git a/api/handler/admin/config_handler.go b/api/handler/admin/config_handler.go
index 8c5cbcbf..3c7f7369 100644
--- a/api/handler/admin/config_handler.go
+++ b/api/handler/admin/config_handler.go
@@ -71,6 +71,11 @@ func (h *ConfigHandler) Update(c *gin.Context) {
 
 // Get 获取指定的系统配置
 func (h *ConfigHandler) Get(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	key := c.Query("key")
 	var config model.Config
 	res := h.db.Where("marker", key).First(&config)
diff --git a/api/handler/admin/dashboard_handler.go b/api/handler/admin/dashboard_handler.go
index 8c7a1c1d..34d0f334 100644
--- a/api/handler/admin/dashboard_handler.go
+++ b/api/handler/admin/dashboard_handler.go
@@ -5,6 +5,7 @@ import (
 	"chatplus/core/types"
 	"chatplus/handler"
 	"chatplus/store/model"
+	"chatplus/utils"
 	"chatplus/utils/resp"
 	"github.com/gin-gonic/gin"
 	"github.com/shopspring/decimal"
@@ -32,6 +33,11 @@ type statsVo struct {
 }
 
 func (h *DashboardHandler) Stats(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	stats := statsVo{}
 	// new users statistic
 	var userCount int64
diff --git a/api/handler/admin/function_handler.go b/api/handler/admin/function_handler.go
index abd22753..fb6e7a15 100644
--- a/api/handler/admin/function_handler.go
+++ b/api/handler/admin/function_handler.go
@@ -74,6 +74,11 @@ func (h *FunctionHandler) Set(c *gin.Context) {
 }
 
 func (h *FunctionHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	var items []model.Function
 	res := h.db.Find(&items)
 	if res.Error != nil {
diff --git a/api/handler/admin/order_handler.go b/api/handler/admin/order_handler.go
index 44edc839..4915f91c 100644
--- a/api/handler/admin/order_handler.go
+++ b/api/handler/admin/order_handler.go
@@ -25,6 +25,11 @@ func NewOrderHandler(app *core.AppServer, db *gorm.DB) *OrderHandler {
 }
 
 func (h *OrderHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	var data struct {
 		OrderNo  string   `json:"order_no"`
 		Status   int      `json:"status"`
diff --git a/api/handler/admin/product_handler.go b/api/handler/admin/product_handler.go
index 08e3ac11..ecc3d77c 100644
--- a/api/handler/admin/product_handler.go
+++ b/api/handler/admin/product_handler.go
@@ -70,6 +70,11 @@ func (h *ProductHandler) Save(c *gin.Context) {
 
 // List 模型列表
 func (h *ProductHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	session := h.db.Session(&gorm.Session{})
 	enable := h.GetBool(c, "enable")
 	if enable {
diff --git a/api/handler/admin/reward_handler.go b/api/handler/admin/reward_handler.go
index a9d05bea..7fcdc265 100644
--- a/api/handler/admin/reward_handler.go
+++ b/api/handler/admin/reward_handler.go
@@ -24,6 +24,11 @@ func NewRewardHandler(app *core.AppServer, db *gorm.DB) *RewardHandler {
 }
 
 func (h *RewardHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	var items []model.Reward
 	res := h.db.Order("id DESC").Find(&items)
 	var rewards = make([]vo.Reward, 0)
diff --git a/api/handler/admin/user_handler.go b/api/handler/admin/user_handler.go
index b84fdf54..26bb556b 100644
--- a/api/handler/admin/user_handler.go
+++ b/api/handler/admin/user_handler.go
@@ -27,6 +27,11 @@ func NewUserHandler(app *core.AppServer, db *gorm.DB) *UserHandler {
 
 // List 用户列表
 func (h *UserHandler) List(c *gin.Context) {
+	if err := utils.CheckPermission(c, h.db); err != nil {
+		resp.ERROR(c, types.NoPermission)
+		return
+	}
+
 	page := h.GetInt(c, "page", 1)
 	pageSize := h.GetInt(c, "page_size", 20)
 	username := h.GetTrim(c, "username")
diff --git a/api/utils/permission.go b/api/utils/permission.go
new file mode 100644
index 00000000..a81de9bf
--- /dev/null
+++ b/api/utils/permission.go
@@ -0,0 +1,40 @@
+package utils
+
+import (
+	"chatplus/core/types"
+	"chatplus/store/model"
+	"fmt"
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
+	"net/url"
+	"strings"
+)
+
+// CheckPermission Todo: 放在缓存
+// CheckPermission 检查权限
+func CheckPermission(c *gin.Context, db *gorm.DB) error {
+	u, err := url.Parse(c.Request.RequestURI)
+	if err != nil {
+		panic(err)
+	}
+	slug := strings.Replace(u.Path, "/", "_", -1)[1:]
+
+	// 用户名
+	userName, _ := c.Get(types.LoginUserID)
+
+	var manager model.AdminUser
+	db.Table("chatgpt_admin_users").Select("chatgpt_admin_users.id").Where("username = ?", userName).First(&manager)
+
+	// 超级管理员不判断
+	if manager.Id == 1 {
+		return nil
+	}
+	var roleIds []int
+	var count int64
+	db.Raw("SELECT `chatgpt_admin_user_roles`.role_id FROM `chatgpt_admin_users` LEFT JOIN `chatgpt_admin_user_roles` ON ( `chatgpt_admin_users`.id = `chatgpt_admin_user_roles`.admin_id ) WHERE `chatgpt_admin_users`.id = ?", manager.Id).Find(&roleIds)
+	db.Raw("SELECT `chatgpt_admin_permissions`.slug FROM `chatgpt_admin_permissions` LEFT JOIN `chatgpt_admin_role_permissions` ON (`chatgpt_admin_permissions`.id = `chatgpt_admin_role_permissions`.permission_id) WHERE `chatgpt_admin_role_permissions`.role_id IN ? and `chatgpt_admin_permissions`.slug = ? ", roleIds, slug).Count(&count)
+	if count > 0 {
+		return nil
+	}
+	return fmt.Errorf("没有权限")
+}