diff --git a/apps/perms/models/asset_permission.py b/apps/perms/models/asset_permission.py
index 660b8cc5b..67df0bb26 100644
--- a/apps/perms/models/asset_permission.py
+++ b/apps/perms/models/asset_permission.py
@@ -258,8 +258,9 @@ class AssetPermission(OrgModelMixin):
 
     @classmethod
     def filter(cls, user=None, user_group=None, asset=None, account_names=None):
-        """ 获取同时包含 用户(组)-资产-账号 的授权规则 """
+        """ 获取同时包含 用户(组)-资产-账号 的授权规则, 条件之间都是 & 的关系"""
         perm_ids = []
+
         if user:
             user_perm_ids = cls.filter_by_user(user, flat=True)
             perm_ids.append(user_perm_ids)
@@ -271,12 +272,16 @@ class AssetPermission(OrgModelMixin):
         if asset:
             asset_perm_ids = cls.filter_by_asset(asset, flat=True)
             perm_ids.append(asset_perm_ids)
+
         # & 是同时满足，比如有用户，但是用户的规则是空，那么返回也应该是空
         perm_ids = list(reduce(lambda x, y: set(x) & set(y), perm_ids))
         perms = cls.objects.filter(id__in=perm_ids)
+
         if account_names:
             perms = perms.filter_by_accounts(account_names)
-        return perms.valid().order_by('-date_expired')
+
+        perms = perms.valid().order_by('-date_expired')
+        return perms
 
     @classmethod
     def filter_by_user(cls, user, with_group=True, flat=False):
diff --git a/apps/perms/urls/asset_permission.py b/apps/perms/urls/asset_permission.py
index 5973dd0ae..e82dd8686 100644
--- a/apps/perms/urls/asset_permission.py
+++ b/apps/perms/urls/asset_permission.py
@@ -84,7 +84,7 @@ user_group_permission_urlpatterns = [
 
     # Todo: v3 删除
     path('<uuid:pk>/assets/<uuid:asset_id>/system-users/', api.UserGroupGrantedAssetSystemUsersApi.as_view(), name='user-group-asset-system-users'),
-    # Todo: v3 增加
+    # Todo: v3 增加 Done.
     # 获取所有和资产-用户组关联的账号列表
     path('<uuid:pk>/assets/<uuid:asset_id>/accounts/', api.UserGroupGrantedAssetAccountsApi.as_view(), name='user-group-asset-accounts'),
 ]
@@ -95,7 +95,8 @@ permission_urlpatterns = [
     path('<uuid:pk>/users/all/', api.AssetPermissionAllUserListApi.as_view(), name='asset-permission-all-users'),
 
     # 验证用户是否有某个资产和系统用户的权限
-    # Todo: API 需要修改，验证用户有某个账号的权限
+    # Todo: v3 API 需要修改，验证用户有某个账号的权限 # 先不动, v3 中可能会修改连接资产时的逻辑,
+    #  直接获取认证信息，获取不到就时没有权限，就不需要校验了
     path('user/validate/', api.ValidateUserAssetPermissionApi.as_view(), name='validate-user-asset-permission'),
     path('user/actions/', api.GetUserAssetPermissionActionsApi.as_view(), name='get-user-asset-permission-actions'),