diff --git a/src/app/api/tickets/export/route.ts b/src/app/api/tickets/export/route.ts
index 6b07be1..e638365 100644
--- a/src/app/api/tickets/export/route.ts
+++ b/src/app/api/tickets/export/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { getDb } from '@/lib/db'
 import { initDatabase } from '@/lib/db-schema'
 import { getCurrentUser } from '@/lib/auth'
+import { hasPermission } from '@/lib/permissions'
 import { exportTicketsToExcel } from '@/lib/excel'
 
 export async function GET(request: NextRequest) {
@@ -9,6 +10,7 @@ export async function GET(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'tickets:export')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const { searchParams } = request.nextUrl
     const idsParam = searchParams.get('ids')
diff --git a/src/app/api/tickets/import/route.ts b/src/app/api/tickets/import/route.ts
index 98c531a..d4f949f 100644
--- a/src/app/api/tickets/import/route.ts
+++ b/src/app/api/tickets/import/route.ts
@@ -24,7 +24,7 @@ export async function POST(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
-    if (!hasPermission(user, 'tickets:write')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
+    if (!hasPermission(user, 'tickets:import')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const formData = await request.formData()
     const file = formData.get('file') as File | null
diff --git a/src/app/api/tickets/route.ts b/src/app/api/tickets/route.ts
index a6deb5f..7a055b3 100644
--- a/src/app/api/tickets/route.ts
+++ b/src/app/api/tickets/route.ts
@@ -101,7 +101,7 @@ export async function POST(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
-    if (!hasPermission(user, 'tickets:write')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
+    if (!hasPermission(user, 'tickets:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const body = await request.json()
     const db = getDb()