diff --git a/src/app/api/reports/[id]/download/route.ts b/src/app/api/reports/[id]/download/route.ts
index ae0e40b..0981f26 100644
--- a/src/app/api/reports/[id]/download/route.ts
+++ b/src/app/api/reports/[id]/download/route.ts
@@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { getDb } from '@/lib/db'
 import { initDatabase } from '@/lib/db-schema'
 import { getCurrentUser } from '@/lib/auth'
+import { hasPermission } from '@/lib/permissions'
 import fs from 'fs'
 
 export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
@@ -9,6 +10,7 @@ export async function GET(_request: Request, { params }: { params: Promise<{ id:
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:download')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const { id } = await params
     const db = getDb()
diff --git a/src/app/api/reports/[id]/generate/route.ts b/src/app/api/reports/[id]/generate/route.ts
index 068ff90..7894c68 100644
--- a/src/app/api/reports/[id]/generate/route.ts
+++ b/src/app/api/reports/[id]/generate/route.ts
@@ -14,7 +14,7 @@ export async function POST(
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
-    if (!hasPermission(user, 'reports:write')) {
+    if (!hasPermission(user, 'reports:create')) {
       return NextResponse.json({ error: '权限不足' }, { status: 403 })
     }
 
diff --git a/src/app/api/reports/[id]/route.ts b/src/app/api/reports/[id]/route.ts
index 1ac6f31..28c1af1 100644
--- a/src/app/api/reports/[id]/route.ts
+++ b/src/app/api/reports/[id]/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { getDb } from '@/lib/db'
 import { initDatabase } from '@/lib/db-schema'
 import { getCurrentUser } from '@/lib/auth'
+import { hasPermission } from '@/lib/permissions'
 import fs from 'fs'
 
 export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
@@ -9,6 +10,7 @@ export async function GET(_request: Request, { params }: { params: Promise<{ id:
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const { id } = await params
     const db = getDb()
@@ -72,6 +74,7 @@ export async function DELETE(_request: NextRequest, { params }: { params: Promis
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const { id } = await params
     const db = getDb()
diff --git a/src/app/api/reports/download/route.ts b/src/app/api/reports/download/route.ts
index d704091..f21f90c 100644
--- a/src/app/api/reports/download/route.ts
+++ b/src/app/api/reports/download/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { getDb } from '@/lib/db'
 import { initDatabase } from '@/lib/db-schema'
 import { getCurrentUser } from '@/lib/auth'
+import { hasPermission } from '@/lib/permissions'
 import JSZip from 'jszip'
 import fs from 'fs'
 
@@ -10,6 +11,7 @@ export async function POST(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:download')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const { ids } = await request.json()
     if (!Array.isArray(ids) || ids.length === 0) {
diff --git a/src/app/api/reports/route.ts b/src/app/api/reports/route.ts
index 34b015a..7116e89 100644
--- a/src/app/api/reports/route.ts
+++ b/src/app/api/reports/route.ts
@@ -10,6 +10,7 @@ export async function GET() {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const db = getDb()
     const reports = db.prepare('SELECT * FROM reports ORDER BY created_at DESC').all()
@@ -25,7 +26,7 @@ export async function POST(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
-    if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
+    if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const body = await request.json()
     const { report_type, period_start, period_end } = body
@@ -71,6 +72,7 @@ export async function DELETE(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const { ids } = await request.json()
     if (!Array.isArray(ids) || ids.length === 0) {