diff --git a/apps/common/permissions.py b/apps/common/permissions.py
index d28157085..5c58de68e 100644
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -12,7 +12,7 @@ from common.utils import get_object_or_none
 from orgs.utils import tmp_to_root_org
 
 
-class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
+class IsValidUser(permissions.IsAuthenticated):
     """Allows access to valid user, is active and not expired"""
 
     def has_permission(self, request, view):
diff --git a/apps/jumpserver/rewriting/storage/permissions.py b/apps/jumpserver/rewriting/storage/permissions.py
index 51b1c9c40..7af0adece 100644
--- a/apps/jumpserver/rewriting/storage/permissions.py
+++ b/apps/jumpserver/rewriting/storage/permissions.py
@@ -16,6 +16,8 @@ def allow_access(private_file):
     path_base = path_list[1] if len(path_list) > 1 else None
     path_perm = path_perms_map.get(path_base, None)
 
+    if ".." in request_path:
+        return False
     if not path_perm:
         return False
     if path_perm == '*' or request.user.has_perms([path_perm]):
diff --git a/apps/terminal/permissions.py b/apps/terminal/permissions.py
index 1165c0570..e2e72e572 100644
--- a/apps/terminal/permissions.py
+++ b/apps/terminal/permissions.py
@@ -1,13 +1,15 @@
 from rest_framework import permissions
+
 from common.utils import get_logger
 
 logger = get_logger(__file__)
 
-
 __all__ = ['IsSessionAssignee']
 
 
-class IsSessionAssignee(permissions.BasePermission):
+class IsSessionAssignee(permissions.IsAuthenticated):
+    def has_permission(self, request, view):
+        return False
 
     def has_object_permission(self, request, view, obj):
         try:
diff --git a/apps/tickets/permissions/ticket.py b/apps/tickets/permissions/ticket.py
index 29c7dd7b5..494d9ba1b 100644
--- a/apps/tickets/permissions/ticket.py
+++ b/apps/tickets/permissions/ticket.py
@@ -1,12 +1,12 @@
 from rest_framework import permissions
 
 
-class IsAssignee(permissions.BasePermission):
+class IsAssignee(permissions.IsAuthenticated):
     def has_object_permission(self, request, view, obj):
         return obj.has_current_assignee(request.user)
 
 
-class IsApplicant(permissions.BasePermission):
+class IsApplicant(permissions.IsAuthenticated):
 
     def has_object_permission(self, request, view, obj):
         return obj.applicant == request.user
diff --git a/apps/users/permissions.py b/apps/users/permissions.py
index 33081c5b3..37525517c 100644
--- a/apps/users/permissions.py
+++ b/apps/users/permissions.py
@@ -1,6 +1,5 @@
 from rest_framework import permissions
 
-from rbac.builtin import BuiltinRole
 from .utils import is_auth_password_time_valid
 
 
@@ -11,7 +10,7 @@ class IsAuthPasswdTimeValid(permissions.IsAuthenticated):
             and is_auth_password_time_valid(request.session)
 
 
-class UserObjectPermission(permissions.BasePermission):
+class UserObjectPermission(permissions.IsAuthenticated):
 
     def has_object_permission(self, request, view, obj):
         if view.action not in ['update', 'partial_update', 'destroy']: