diff --git a/apps/authentication/api/auth.py b/apps/authentication/api/auth.py
index 6fbd2b6d2..101d6436e 100644
--- a/apps/authentication/api/auth.py
+++ b/apps/authentication/api/auth.py
@@ -41,6 +41,16 @@ class UserAuthApi(RootOrgViewMixin, APIView):
     permission_classes = (AllowAny,)
     serializer_class = UserSerializer
 
+    def get_serializer_context(self):
+        return {
+            'request': self.request,
+            'view': self
+        }
+
+    def get_serializer(self, *args, **kwargs):
+        kwargs['context'] = self.get_serializer_context()
+        return self.serializer_class(*args, **kwargs)
+
     def post(self, request):
         # limit login
         username = request.data.get('username')
@@ -65,7 +75,7 @@ class UserAuthApi(RootOrgViewMixin, APIView):
             clean_failed_count(username, ip)
             token, expired_at = user.create_bearer_token(request)
             return Response(
-                {'token': token, 'user': self.serializer_class(user).data}
+                {'token': token, 'user': self.get_serializer(user).data}
             )
 
         seed = uuid.uuid4().hex
@@ -77,7 +87,7 @@ class UserAuthApi(RootOrgViewMixin, APIView):
                          'conduct MFA secondary certification'),
                 'otp_url': reverse('api-auth:user-otp-auth'),
                 'seed': seed,
-                'user': self.serializer_class(user).data
+                'user': self.get_serializer(user).data
             }, status=300
         )
 
@@ -147,6 +157,16 @@ class UserOtpAuthApi(RootOrgViewMixin, APIView):
     permission_classes = (AllowAny,)
     serializer_class = UserSerializer
 
+    def get_serializer_context(self):
+        return {
+            'request': self.request,
+            'view': self
+        }
+
+    def get_serializer(self, *args, **kwargs):
+        kwargs['context'] = self.get_serializer_context()
+        return self.serializer_class(*args, **kwargs)
+
     def post(self, request):
         otp_code = request.data.get('otp_code', '')
         seed = request.data.get('seed', '')
@@ -161,7 +181,7 @@ class UserOtpAuthApi(RootOrgViewMixin, APIView):
             return Response({'msg': _('MFA certification failed')}, status=401)
         self.send_auth_signal(success=True, user=user)
         token, expired_at = user.create_bearer_token(request)
-        data = {'token': token, 'user': self.serializer_class(user).data}
+        data = {'token': token, 'user': self.get_serializer(user).data}
         return Response(data)
 
     def send_auth_signal(self, success=True, user=None, username='', reason=''):
diff --git a/apps/common/permissions.py b/apps/common/permissions.py
index 08350d89b..12bc5c6d4 100644
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -132,6 +132,8 @@ class CanUpdateDeleteUser(permissions.BasePermission):
 
     @staticmethod
     def has_delete_object_permission(request, view, obj):
+        if request.user.is_anonymous:
+            return False
         if not request.user.can_admin_current_org:
             return False
         # 超级管理员 / 组织管理员
@@ -157,6 +159,8 @@ class CanUpdateDeleteUser(permissions.BasePermission):
 
     @staticmethod
     def has_update_object_permission(request, view, obj):
+        if request.user.is_anonymous:
+            return False
         if not request.user.can_admin_current_org:
             return False
         # 超级管理员 / 组织管理员
@@ -179,6 +183,8 @@ class CanUpdateDeleteUser(permissions.BasePermission):
         return True
 
     def has_object_permission(self, request, view, obj):
+        if request.user.is_anonymous:
+            return False
         if not request.user.can_admin_current_org:
             return False
         if request.method in ['DELETE']: