diff --git a/main.go b/main.go
index 7fda56c..639b08b 100644
--- a/main.go
+++ b/main.go
@@ -166,6 +166,16 @@ func JWTAuthMiddleware() gin.HandlerFunc {
 		c.Set("id", token.Claims.(jwt.MapClaims)["id"])
 		c.Set("username", token.Claims.(jwt.MapClaims)["username"])
 
+		if UserFuncIntercept(int(token.Claims.(jwt.MapClaims)["id"].(float64)), c.Request.URL.Path) {
+			c.AbortWithStatus(200)
+			c.JSON(200, gin.H{
+				"message": "no function permission",
+				"error":   "no permission",
+				"code":    proto.NoPermission,
+			})
+			return
+		}
+
 		// 继续处理请求
 		c.Next()
 	}
@@ -264,3 +274,27 @@ func RunGeneralCron() {
 		worker.SetRedis(key, string(data))
 	}
 }
+
+// 用户功能拦截,返回true表示拦截，false表示不拦截
+func UserFuncIntercept(id int, url string) bool {
+	//先查看是否有权限
+	user := dao.FindUserByUserID(id)
+	//如果用户有权限，则不拦截
+	for k, v := range proto.Per_menu_map {
+		if strings.Contains(url, k) {
+			if v == 1 && user.VideoFunc == true {
+				return false
+			}
+			if v == 2 && user.DeviceFunc == true {
+				return false
+			}
+			if v == 3 && user.CIDFunc == true {
+				return false
+			}
+		}
+	}
+	if strings.Contains(url, "/callback") {
+		return false
+	}
+	return true
+}
diff --git a/proto/conf.go b/proto/conf.go
index 18b7577..d014382 100644
--- a/proto/conf.go
+++ b/proto/conf.go
@@ -10,7 +10,7 @@ import (
 var Config ConfigStruct
 var SigningKey = []byte{}
 var Url_map = map[string]bool{"/login": true, "/register": true, "/uuid": true, "/gqr": true, "/cid/callback": true, "/tool/monitor": true} // 不需要token验证的url
-var per_meru_map = map[string]bool{"/video/": true, "/device/": true, "/cid/": true}
+var Per_menu_map = map[string]int{"/video/": 1, "/device/": 2, "/cid/": 3}
 
 const (
 	MYSQL_USER     = "video_t2"
diff --git a/proto/status.go b/proto/status.go
index b259edf..c4ba01e 100644
--- a/proto/status.go
+++ b/proto/status.go
@@ -47,6 +47,7 @@ const (
 	NoRedisPermissions  = 51
 	NoRunPermissions    = 52
 	NoDevicePermissions = 53
+	NoPermission        = 54
 
 	//消息错误码
 	MsgSendFailed = 61 // 消息发送失败