diff --git a/apps/common/api/permission.py b/apps/common/api/permission.py
index 19f63824f..c70597f15 100644
--- a/apps/common/api/permission.py
+++ b/apps/common/api/permission.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 from django.contrib.auth import get_user_model
+from rest_framework.exceptions import ValidationError
 from rest_framework.request import Request
 
 from common.utils import lazyproperty
@@ -14,7 +15,13 @@ class AllowBulkDestroyMixin:
         我们规定，批量删除的情况必须用 `id` 指定要删除的数据。
         """
         query = str(filtered.query)
-        can = '`id` IN (' in query or '`id` =' in query or 'ptr_id` IN (' in query
+        can = (
+            '`id` IN (' in query or '`id` =' in query or
+            'ptr_id` IN (' in query or
+            '."id" IN' in query  # for postgresql
+        )
+        if not can:
+            raise ValidationError('Bulk destroy all is not allowed')
         return can