diff --git a/src/webapi/router/router.go b/src/webapi/router/router.go
index cdc3da9fa73b77f66a3176088a6aa5d73d8cf422..251f5b1ad88d3d2ae5710e9713cc81e67e4f8b89 100644
--- a/src/webapi/router/router.go
+++ b/src/webapi/router/router.go
@@ -186,7 +186,7 @@ func configRoute(r *gin.Engine, version string) {
 		pages.POST("/busi-group/:id/alert-rules", jwtAuth(), user(), perm("/alert-rules/add"), bgrw(), alertRuleAdd)
 		pages.DELETE("/busi-group/:id/alert-rules", jwtAuth(), user(), perm("/alert-rules/del"), bgrw(), alertRuleDel)
 		pages.PUT("/busi-group/:id/alert-rules/fields", jwtAuth(), user(), perm("/alert-rules/put"), bgrw(), alertRulePutFields)
-		pages.PUT("/busi-group/:id/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules/put"), bgrw(), alertRulePut)
+		pages.PUT("/busi-group/:id/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules/put"), alertRulePut)
 		pages.GET("/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules"), alertRuleGet)
 
 		pages.GET("/busi-group/:id/alert-mutes", jwtAuth(), user(), perm("/alert-mutes"), bgro(), alertMuteGets)
diff --git a/src/webapi/router/router_alert_rule.go b/src/webapi/router/router_alert_rule.go
index cdd3529f01490526713ba444d4ffa38eeea527e2..644ef28256263db7eb036bc954b2da474b29e032 100644
--- a/src/webapi/router/router_alert_rule.go
+++ b/src/webapi/router/router_alert_rule.go
@@ -78,6 +78,8 @@ func alertRulePut(c *gin.Context) {
 		return
 	}
 
+	bgrwCheck(c, ar.GroupId)
+
 	f.UpdateBy = c.MustGet("username").(string)
 	ginx.NewRender(c).Message(ar.Update(f))
 }
diff --git a/src/webapi/router/router_mw.go b/src/webapi/router/router_mw.go
index c6994c3490ab1aa355a80c2a15c5cdb1bbadc42b..71e599a38614ea64240ef4627d871d54070c8081 100644
--- a/src/webapi/router/router_mw.go
+++ b/src/webapi/router/router_mw.go
@@ -105,6 +105,7 @@ func bgro() gin.HandlerFunc {
 	}
 }
 
+// bgrw 逐步要被干掉，不安全
 func bgrw() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		me := c.MustGet("user").(*models.User)
@@ -122,6 +123,21 @@ func bgrw() gin.HandlerFunc {
 	}
 }
 
+// bgrwCheck 要逐渐替换掉bgrw方法，更安全
+func bgrwCheck(c *gin.Context, bgid int64) {
+	me := c.MustGet("user").(*models.User)
+	bg := BusiGroup(bgid)
+
+	can, err := me.CanDoBusiGroup(bg, "rw")
+	ginx.Dangerous(err)
+
+	if !can {
+		ginx.Bomb(http.StatusForbidden, "forbidden")
+	}
+
+	c.Set("busi_group", bg)
+}
+
 func perm(operation string) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		me := c.MustGet("user").(*models.User)