diff --git a/src/controllers/games/gift.js b/src/controllers/games/gift.js
index 7cb304f..8f19060 100644
--- a/src/controllers/games/gift.js
+++ b/src/controllers/games/gift.js
@@ -24,8 +24,21 @@ router.get('/', async (req, res, next) => {
 
 /* 添加礼物 */
 router.post('/', async (req, res, next) => {
-  const body = req.body
+  logger.db(req, '游戏管理', '兑换', '添加兑换物品')
+  // 权限判断
+  const hasPerm =
+    req.user.permissions.includes(`${req.body.uid}-edit`) ||
+    req.user.permissions.includes(`${req.body.uid}-publish`) ||
+    req.user.permissions.includes(`games-writeable`)
+  if (!hasPerm) {
+    res.status(403).send({
+      errcode: 1,
+      errmsg: '用户无游戏编辑权限！',
+    })
+    return
+  }
   try {
+    const body = req.body
     const search = await GameGift.findOne({
       game_id: body.game_id,
       gift_id: body.gift_id,
@@ -46,7 +59,7 @@ router.post('/', async (req, res, next) => {
       codes: body.codes,
       used_codes: body.used_codes,
       type: body.type,
-      extraData: body.extraData
+      extraData: body.extraData,
     })
     const result = await gift.save()
     res.send({
@@ -59,8 +72,21 @@ router.post('/', async (req, res, next) => {
 
 /* 修改礼物 */
 router.put('/', async (req, res, next) => {
-  const body = req.body
+  logger.db(req, '游戏管理', '兑换', '修改兑换物品')
+  // 权限判断
+  const hasPerm =
+    req.user.permissions.includes(`${req.body.uid}-edit`) ||
+    req.user.permissions.includes(`${req.body.uid}-publish`) ||
+    req.user.permissions.includes(`games-writeable`)
+  if (!hasPerm) {
+    res.status(403).send({
+      errcode: 1,
+      errmsg: '用户无游戏编辑权限！',
+    })
+    return
+  }
   try {
+    const body = req.body
     const search = await GameGift.findById(body._id)
     if (!search) {
       res.send({
@@ -80,7 +106,7 @@ router.put('/', async (req, res, next) => {
         used_codes: body.used_codes,
         staus: body.staus,
         type: body.type,
-        extraData: body.extraData
+        extraData: body.extraData,
       }
     )
     res.send({
@@ -93,8 +119,21 @@ router.put('/', async (req, res, next) => {
 
 /* 删除礼物 */
 router.delete('/', async (req, res, next) => {
-  const body = req.body
+  logger.db(req, '游戏管理', '兑换', '删除兑换物品')
+  // 权限判断
+  const hasPerm =
+    req.user.permissions.includes(`${req.body.uid}-edit`) ||
+    req.user.permissions.includes(`${req.body.uid}-publish`) ||
+    req.user.permissions.includes(`games-writeable`)
+  if (!hasPerm) {
+    res.status(403).send({
+      errcode: 1,
+      errmsg: '用户无游戏编辑权限！',
+    })
+    return
+  }
   try {
+    const body = req.body
     const result = await GameGift.updateOne(
       {_id: body._id},
       {
@@ -113,8 +152,8 @@ router.delete('/', async (req, res, next) => {
 
 /* 查询兑换列表 */
 router.get('/list', async (req, res, next) => {
-  const query = req.query
   try {
+    const query = req.query
     let result = await GiftList.find({
       game_id: query.game_id,
       platform_id: query.platform_id,
@@ -135,6 +174,19 @@ router.get('/list', async (req, res, next) => {
 
 /* 添加兑换列表 */
 router.post('/list', async (req, res, next) => {
+  logger.db(req, '游戏管理', '兑换', '配置兑换列表')
+  // 权限判断
+  const hasPerm =
+    req.user.permissions.includes(`${req.body.uid}-edit`) ||
+    req.user.permissions.includes(`${req.body.uid}-publish`) ||
+    req.user.permissions.includes(`games-writeable`)
+  if (!hasPerm) {
+    res.status(403).send({
+      errcode: 1,
+      errmsg: '用户无游戏编辑权限！',
+    })
+    return
+  }
   try {
     const body = req.body
     const cfg = formatCfg(body.type, body.time)
@@ -151,7 +203,7 @@ router.post('/list', async (req, res, next) => {
       time: body.time,
       cfg: cfg,
       extraData: body.extraData,
-      status: body.status
+      status: body.status,
     })
     const result = await list.save()
     res.send({
@@ -164,6 +216,19 @@ router.post('/list', async (req, res, next) => {
 
 /* 修改兑换列表 */
 router.put('/list', async (req, res, next) => {
+  logger.db(req, '游戏管理', '兑换', '修改兑换列表')
+  // 权限判断
+  const hasPerm =
+    req.user.permissions.includes(`${req.body.uid}-edit`) ||
+    req.user.permissions.includes(`${req.body.uid}-publish`) ||
+    req.user.permissions.includes(`games-writeable`)
+  if (!hasPerm) {
+    res.status(403).send({
+      errcode: 1,
+      errmsg: '用户无游戏编辑权限！',
+    })
+    return
+  }
   try {
     const body = req.body
     const search = await GiftList.findById(body._id)
@@ -191,7 +256,7 @@ router.put('/list', async (req, res, next) => {
         time: body.time,
         cfg: cfg,
         extraData: body.extraData,
-        status: body.status
+        status: body.status,
       }
     )
     res.send({
@@ -204,8 +269,21 @@ router.put('/list', async (req, res, next) => {
 
 /* 部分修改兑换列表 */
 router.patch('/list', async (req, res, next) => {
-  const body = req.body
+  logger.db(req, '游戏管理', '兑换', '修改兑换列表')
+  // 权限判断
+  const hasPerm =
+    req.user.permissions.includes(`${req.body.uid}-edit`) ||
+    req.user.permissions.includes(`${req.body.uid}-publish`) ||
+    req.user.permissions.includes(`games-writeable`)
+  if (!hasPerm) {
+    res.status(403).send({
+      errcode: 1,
+      errmsg: '用户无游戏编辑权限！',
+    })
+    return
+  }
   try {
+    const body = req.body
     const search = await GiftList.findById(body._id)
     if (!search) {
       res.send({
@@ -231,8 +309,21 @@ router.patch('/list', async (req, res, next) => {
 
 /* 删除兑换列表 */
 router.delete('/list', async (req, res, next) => {
-  const body = req.body
+  logger.db(req, '游戏管理', '兑换', '删除兑换列表')
+  // 权限判断
+  const hasPerm =
+    req.user.permissions.includes(`${req.body.uid}-edit`) ||
+    req.user.permissions.includes(`${req.body.uid}-publish`) ||
+    req.user.permissions.includes(`games-writeable`)
+  if (!hasPerm) {
+    res.status(403).send({
+      errcode: 1,
+      errmsg: '用户无游戏编辑权限！',
+    })
+    return
+  }
   try {
+    const body = req.body
     const result = await GiftList.updateOne(
       {_id: body._id},
       {