diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 938f9bba..a10357a4 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -274,6 +274,7 @@ class ApplicationController < ActionController::Base
     true
   end
 
+
   def require_admin
     return unless require_login
     if !User.current.admin?
diff --git a/app/controllers/ec_course_supports_controller.rb b/app/controllers/ec_course_supports_controller.rb
index 3e64f2db..8b2811ad 100644
--- a/app/controllers/ec_course_supports_controller.rb
+++ b/app/controllers/ec_course_supports_controller.rb
@@ -2,6 +2,8 @@
 class EcCourseSupportsController < ApplicationController
   before_filter :find_year, :except => [:edit_require_vs_course, :destroy_require_vs_course]
   skip_before_filter :verify_authenticity_token, :only => [:create, :edit_require_vs_course, :destroy_require_vs_course]
+  before_filter :require_login
+  before_filter :ec_auth
 
   ###############################################################################
   # 毕业要求vs课程体系
@@ -216,4 +218,11 @@ class EcCourseSupportsController < ApplicationController
   def find_year
     @year = EcYear.find(params[:ec_year_id])
   end
+
+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && @year.ec_major_school.pluck(:school_id).include?(User.current.ec_school))
+      render_403
+    end
+  end
 end
diff --git a/app/controllers/ec_courses_controller.rb b/app/controllers/ec_courses_controller.rb
index 43fed5cb..dd5547e7 100644
--- a/app/controllers/ec_courses_controller.rb
+++ b/app/controllers/ec_courses_controller.rb
@@ -3,6 +3,8 @@ class EcCoursesController < ApplicationController
   layout 'base_ec'
   before_filter :find_ec_course, :except => [:create, :get_calculation_data, :sync_all_course_data]
   before_filter :find_year, :only => [:create, :get_calculation_data]
+  before_filter :require_login
+  before_filter :ec_auth, :except => [:sync_all_course_data]
   skip_before_filter :verify_authenticity_token, :only => [:crud_targets, :crud_score_level, :sync_all_course_data, :search_courses,
                                                            :correlation_course, :delete_course]
 
@@ -599,6 +601,13 @@ class EcCoursesController < ApplicationController
     #@is_manager = @template_major || @ec_course.ec_course_users.pluck(:user_id).include?(User.current.id)
   end
 
+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && User.current.ec_school == @ec_major_school.school_id)
+      render_403
+    end
+  end
+
   def target_list_data course_targets
     targets = []
     course_targets.each do |ct|
diff --git a/app/controllers/ec_major_schools_controller.rb b/app/controllers/ec_major_schools_controller.rb
index 5c84a885..dc0c7c94 100644
--- a/app/controllers/ec_major_schools_controller.rb
+++ b/app/controllers/ec_major_schools_controller.rb
@@ -2,7 +2,10 @@
 class EcMajorSchoolsController < ApplicationController
   layout "base_ec"
 
+  before_filter :require_login
+
   before_filter :find_major_school, :except => [:get_navigation_data]
+  before_filter :ec_auth, :except => [:get_navigation_data]
 
   def show
     @years = @major_school.ec_years
@@ -182,4 +185,11 @@ class EcMajorSchoolsController < ApplicationController
     # 管理员权限
     @major_manager = User.current.admin? || @major_school.school.ec_school_users.pluck(:user_id).include?(User.current.id) || @major_school.ec_major_school_users.pluck(:user_id).include?(User.current.id)
   end
+
+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && User.current.ec_school == @major_school.school_id)
+      render_403
+    end
+  end
 end
diff --git a/app/controllers/ec_years_controller.rb b/app/controllers/ec_years_controller.rb
index d6896157..e5a4c936 100644
--- a/app/controllers/ec_years_controller.rb
+++ b/app/controllers/ec_years_controller.rb
@@ -3,6 +3,9 @@ class EcYearsController < ApplicationController
   layout "base_ec"
 
   before_filter :find_major_and_year, except: [:create]
+  before_filter :require_login
+  before_filter :ec_auth
+
   #before_filter :find_year, only: [:set_calculation_value]
   skip_before_filter :verify_authenticity_token, :only => [:import_students, :set_calculation_value, :destroy_students]
   require 'simple_xlsx_reader'
@@ -347,6 +350,13 @@ class EcYearsController < ApplicationController
     @template_major = User.current.admin? || @ec_major_school.school.ec_school_users.pluck(:user_id).include?(User.current.id) || @ec_major_school.ec_major_school_users.pluck(:user_id).include?(User.current.id)
   end
 
+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && User.current.ec_school == @ec_major_school.school_id)
+      render_403
+    end
+  end
+
   def find_year
     @year = EcYear.find(params[:id])
   end
diff --git a/app/controllers/ecs_controller.rb b/app/controllers/ecs_controller.rb
index 71095852..69d50cb5 100644
--- a/app/controllers/ecs_controller.rb
+++ b/app/controllers/ecs_controller.rb
@@ -1,5 +1,7 @@
 class EcsController < ApplicationController
   before_filter :find_school, :except => [:get_navigation_url]
+  before_filter :require_login
+  before_filter :ec_auth, :except => [:get_navigation_url]
   layout 'base_ec'
 
   def department
@@ -62,4 +64,11 @@ class EcsController < ApplicationController
   def find_school
     @school = School.find(params[:school_id])
   end
+
+  # 职业认证的权限判断
+  def ec_auth
+    unless User.current.admin? || (User.current.ec_school.present? && User.current.ec_school == @school.id)
+      render_403
+    end
+  end
 end