diff --git a/src/main/kotlin/top/fatweb/oxygen/api/controller/tool/ManagementController.kt b/src/main/kotlin/top/fatweb/oxygen/api/controller/tool/ManagementController.kt
index c518250..8bb074a 100644
--- a/src/main/kotlin/top/fatweb/oxygen/api/controller/tool/ManagementController.kt
+++ b/src/main/kotlin/top/fatweb/oxygen/api/controller/tool/ManagementController.kt
@@ -2,6 +2,7 @@ package top.fatweb.oxygen.api.controller.tool
 
 import io.swagger.v3.oas.annotations.Operation
 import jakarta.validation.Valid
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.*
 import top.fatweb.oxygen.api.annotation.BaseController
 import top.fatweb.oxygen.api.entity.common.ResponseCode
@@ -30,6 +31,7 @@ class ManagementController(
      */
     @Operation(summary = "获取单个工具")
     @GetMapping("/{id}")
+    @PreAuthorize("hasAnyAuthority('system:tool:query:tool')")
     fun getOne(@PathVariable id: Long): ResponseResult<ToolVo> =
         ResponseResult.databaseSuccess(data = managementService.getOne(id))
 
@@ -41,6 +43,7 @@ class ManagementController(
      */
     @Operation(summary = "获取工具")
     @GetMapping
+    @PreAuthorize("hasAnyAuthority('system:tool:query:tool')")
     fun get(toolManagementGetParam: ToolManagementGetParam): ResponseResult<PageVo<ToolVo>> =
         ResponseResult.databaseSuccess(data = managementService.getPage(toolManagementGetParam))
 
@@ -52,6 +55,7 @@ class ManagementController(
      */
     @Operation(summary = "通过审核")
     @PostMapping("/{id}")
+    @PreAuthorize("hasAnyAuthority('system:tool:modify:tool')")
     fun pass(
         @PathVariable id: Long,
         @RequestBody @Valid toolManagementPassParam: ToolManagementPassParam
@@ -69,6 +73,7 @@ class ManagementController(
      */
     @Operation(summary = "驳回审核")
     @PutMapping("/{id}")
+    @PreAuthorize("hasAnyAuthority('system:tool:modify:tool')")
     fun reject(@PathVariable id: Long): ResponseResult<ToolVo> =
         ResponseResult.databaseSuccess(ResponseCode.DATABASE_UPDATE_SUCCESS, data = managementService.reject(id))
 
@@ -80,6 +85,7 @@ class ManagementController(
      */
     @Operation(summary = "下架")
     @PatchMapping("/{id}")
+    @PreAuthorize("hasAnyAuthority('system:tool:modify:tool')")
     fun offShelve(@PathVariable id: Long): ResponseResult<ToolVo> =
         ResponseResult.databaseSuccess(ResponseCode.DATABASE_UPDATE_SUCCESS, data = managementService.offShelve(id))
 
@@ -91,6 +97,7 @@ class ManagementController(
      */
     @Operation(summary = "删除工具")
     @DeleteMapping("/{id}")
+    @PreAuthorize("hasAnyAuthority('system:tool:delete:tool')")
     fun delete(@PathVariable id: Long): ResponseResult<Nothing> =
         if (managementService.delete(id)) ResponseResult.databaseSuccess(ResponseCode.DATABASE_DELETE_SUCCESS)
         else ResponseResult.databaseFail(ResponseCode.DATABASE_DELETE_FAILED)