diff --git a/app/api/mobile/apis/comments.rb b/app/api/mobile/apis/comments.rb
index fb6d01fb4..402bce66f 100644
--- a/app/api/mobile/apis/comments.rb
+++ b/app/api/mobile/apis/comments.rb
@@ -6,11 +6,14 @@ module Mobile
         desc '课程通知评论'
         params do
           requires :token, type: String
-          requires :comment, type: String
+          requires :comments, type: String
         end
         post ':id' do
           cs = CommentService.new
-          comments = cs.news_comments params,current_user
+          cs_params = {
+              id: params[:id],
+              comment: params.reject{|k,v| [:id].include?(k)}}
+          comments = cs.news_comments cs_params,current_user
           raise "create comments failed #{comments.errors.full_messages}" if comments.new_record?
           present :data, comments, with: Mobile::Entities::Comment
           present :status, 0
diff --git a/app/services/comment_service.rb b/app/services/comment_service.rb
index 23f4355e6..c7e4b29a7 100644
--- a/app/services/comment_service.rb
+++ b/app/services/comment_service.rb
@@ -2,9 +2,16 @@ class CommentService
   #评论
   def news_comments params,current_user
     @news = News.find(params[:id])
-    raise Unauthorized unless @news.commentable?
+    @course = @news.course
+    if @course.nil?
+      raise 'news in unknown course'
+    end
+    raise Unauthorized unless @news.commentable?(current_user)
+    if current_user.nil? || !(current_user.admin? || @course.is_public == 1 || (@course.is_public == 0 && current_user.member_of_course?(@course)))
+      raise '403'
+    end
     @comment = Comment.new
-    @comment.safe_attributes = params[:comment]
+    @comment.send(:safe_attributes=,params[:comment],current_user)
     @comment.author = current_user
     @news.comments << @comment
     @comment