diff --git a/app/controllers/challenges_controller.rb b/app/controllers/challenges_controller.rb
index 565545713..2ba76c60a 100644
--- a/app/controllers/challenges_controller.rb
+++ b/app/controllers/challenges_controller.rb
@@ -8,7 +8,7 @@ class ChallengesController < ApplicationController
   # 关卡更新和操作的权限控制
   before_action :update_allowed, except: [:index]
   # 关卡访问的权限控制
-  before_action :shixun_access_allowed
+  before_action :shixun_access_allowed, only: [:index]
 
   include ShixunsHelper
   include ChallengesHelper
diff --git a/app/controllers/shixuns_controller.rb b/app/controllers/shixuns_controller.rb
index 0cf4fc77e..52e05e57d 100644
--- a/app/controllers/shixuns_controller.rb
+++ b/app/controllers/shixuns_controller.rb
@@ -624,12 +624,12 @@ class ShixunsController < ApplicationController
 
   def add_collaborators
       member_ids = "(" + @shixun.shixun_members.map(&:user_id).join(',') +  ")"
-      user_name = "%#{params[:user_name].strip}%"
-      school_name = "%#{params[:school_name].strip}%"
+      user_name = "%#{params[:user_name].to_s.strip}%"
+      school_name = "%#{params[:school_name].to_s.strip}%"
 			if user_name.present? || school_name.present?
 				@users = User.joins(user_extension: :school).where("users.id not in #{member_ids} AND users.status = 1 AND
 																								 LOWER(users.lastname) LIKE '#{user_name}' AND LOWER(schools.name) LIKE
-																								 '#{school_name}'")
+																								 '#{school_name}'").limit(20)
 			else
 				@users = User.none
 			end