diff --git a/spug_api/apps/account/models.py b/spug_api/apps/account/models.py
index 0fb5b72..87f5a00 100644
--- a/spug_api/apps/account/models.py
+++ b/spug_api/apps/account/models.py
@@ -28,6 +28,22 @@ class User(models.Model, ModelMixin):
     def verify_password(self, plain_password: str) -> bool:
         return check_password(plain_password, self.password_hash)
 
+    @property
+    def page_perms(self):
+        if self.role.page_perms:
+            data = []
+            perms = json.loads(self.role.page_perms)
+            for m, v in perms.items():
+                for p, d in v.items():
+                    data.extend(f'{m}.{p}.{x}' for x in d)
+            return data
+        else:
+            return []
+
+    @property
+    def deploy_perms(self):
+        return json.loads(self.role.deploy_perms) if self.role.deploy_perms else {'apps': [], 'envs': []}
+
     def has_perms(self, codes):
         # return self.is_supper or self.role in codes
         return self.is_supper
@@ -49,22 +65,6 @@ class Role(models.Model, ModelMixin):
     created_at = models.CharField(max_length=20, default=human_datetime)
     created_by = models.ForeignKey(User, on_delete=models.PROTECT, related_name='+')
 
-    @property
-    def permissions(self):
-        if self.page_perms:
-            data = []
-            perms = json.loads(self.page_perms)
-            for m, v in perms.items():
-                for p, d in v.items():
-                    data.extend(f'{m}.{p}.{x}' for x in d)
-            return data
-        else:
-            return []
-
-    @property
-    def deploy(self):
-        return json.loads(self.deploy_perms) if self.deploy_perms else {'apps': [], 'envs': []}
-
     def to_dict(self, *args, **kwargs):
         tmp = super().to_dict(*args, **kwargs)
         tmp['page_perms'] = json.loads(self.page_perms) if self.page_perms else None
diff --git a/spug_api/apps/account/views.py b/spug_api/apps/account/views.py
index 5f7b015..372d3fc 100644
--- a/spug_api/apps/account/views.py
+++ b/spug_api/apps/account/views.py
@@ -129,7 +129,7 @@ def login(request):
                     'nickname': user.nickname,
                     'is_supper': user.is_supper,
                     'has_real_ip': True if x_real_ip else False,
-                    'permissions': [] if user.is_supper else user.role.permissions
+                    'permissions': [] if user.is_supper else user.page_perms
                 })
 
         value = cache.get_or_set(form.username, 0, 86400)
diff --git a/spug_api/apps/app/views.py b/spug_api/apps/app/views.py
index b091da3..986f176 100644
--- a/spug_api/apps/app/views.py
+++ b/spug_api/apps/app/views.py
@@ -9,7 +9,10 @@ import json
 
 class AppView(View):
     def get(self, request):
-        apps = App.objects.all()
+        query = {}
+        if not request.user.is_supper:
+            query['id__in'] = request.user.deploy_perms['apps']
+        apps = App.objects.filter(**query)
         return json_response(apps)
 
     def post(self, request):
@@ -62,6 +65,10 @@ class DeployView(View):
         form, error = JsonParser(
             Argument('app_id', type=int, required=False)
         ).parse(request.GET, True)
+        if not request.user.is_supper:
+            perms = request.user.deploy_perms
+            form.app_id__in = perms['apps']
+            form.env_id__in = perms['envs']
         deploys = Deploy.objects.filter(**form).annotate(app_name=F('app__name'))
         return json_response(deploys)
 
diff --git a/spug_api/apps/config/views.py b/spug_api/apps/config/views.py
index 38d889c..6c66fa3 100644
--- a/spug_api/apps/config/views.py
+++ b/spug_api/apps/config/views.py
@@ -7,7 +7,10 @@ import json
 
 class EnvironmentView(View):
     def get(self, request):
-        envs = Environment.objects.all()
+        query = {}
+        if not request.user.is_supper:
+            query['id__in'] = request.user.deploy_perms['envs']
+        envs = Environment.objects.filter(**query)
         return json_response(envs)
 
     def post(self, request):
diff --git a/spug_api/apps/deploy/views.py b/spug_api/apps/deploy/views.py
index 677e3bf..9b8c9c8 100644
--- a/spug_api/apps/deploy/views.py
+++ b/spug_api/apps/deploy/views.py
@@ -13,8 +13,12 @@ import uuid
 
 class RequestView(View):
     def get(self, request):
-        data = []
-        for item in DeployRequest.objects.annotate(
+        data, query = [], {}
+        if not request.user.is_supper:
+            perms = request.user.deploy_perms
+            query['deploy__app_id__in'] = perms['apps']
+            query['deploy__env_id__in'] = perms['envs']
+        for item in DeployRequest.objects.filter(**query).annotate(
                 env_name=F('deploy__env__name'),
                 app_name=F('deploy__app__name'),
                 app_host_ids=F('deploy__host_ids'),
@@ -102,7 +106,7 @@ class RequestDetailView(View):
     def get(self, request, r_id):
         req = DeployRequest.objects.filter(pk=r_id).first()
         if not req:
-            return json_response(error='为找到指定发布申请')
+            return json_response(error='未找到指定发布申请')
         hosts = Host.objects.filter(id__in=json.loads(req.host_ids))
         targets = [{'id': x.id, 'title': f'{x.name}({x.hostname}:{x.port})'} for x in hosts]
         server_actions, host_actions = [], []
@@ -121,7 +125,12 @@ class RequestDetailView(View):
         })
 
     def post(self, request, r_id):
-        req = DeployRequest.objects.filter(pk=r_id).first()
+        query = {'pk': r_id}
+        if not request.user.is_supper:
+            perms = request.user.deploy_perms
+            query['deploy__app_id__in'] = perms['apps']
+            query['deploy__env_id__in'] = perms['envs']
+        req = DeployRequest.objects.filter(**query).first()
         if not req:
             return json_response(error='未找到指定发布申请')
         if req.status not in ('1', '-3'):