diff --git a/app/api/mobile/apis/courses.rb b/app/api/mobile/apis/courses.rb
index 1b863cd22..21fec6241 100644
--- a/app/api/mobile/apis/courses.rb
+++ b/app/api/mobile/apis/courses.rb
@@ -95,7 +95,9 @@ module Mobile
         end
         route_param :id do
           get do
-            course = Course.find(params[:id])
+            cs = CoursesService.new
+            course = cs.show_course params,current_user
+            #course = Course.find(params[:id])
             {status: 0, data: course}
           end
         end
diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb
index f1d97cbe7..868540b64 100644
--- a/app/controllers/news_controller.rb
+++ b/app/controllers/news_controller.rb
@@ -87,8 +87,10 @@ class NewsController < ApplicationController
    end
 
   def show
-    @comments = @news.comments
-    @comments.reverse! if User.current.wants_comments_in_reverse_order?
+    cs = CoursesService.new
+    @news,@comments = cs.show_course_news params,User.current
+    #@comments = @news.comments
+    #@comments.reverse! if User.current.wants_comments_in_reverse_order?
     #modify by nwb
     if @news.course_id
       @course = Course.find(@news.course_id)
diff --git a/app/services/courses_service.rb b/app/services/courses_service.rb
index bb36f3cb3..09e4289b5 100644
--- a/app/services/courses_service.rb
+++ b/app/services/courses_service.rb
@@ -83,13 +83,29 @@ class CoursesService
     scope = @course ? @course.news.course_visible : News.course_visible
   end
 
-  #显示课程通知
-  def show_course_news
-
+  #查看新闻权限验证
+  def show_course_news_authorize(current_user,course)
+    unless current_user.allowed_to?({:controller => 'news', :action => 'show'}, course)
+      raise '403'
+    end
   end
 
-  def show_course params
+  #显示课程通知(包括评论) 需验证权限
+  def show_course_news params,current_user
+    @news = News.find(params[:id])
+    @comments = @news.comments
+    @comments.reverse! if current_user.wants_comments_in_reverse_order?
+    [@news,@comments]
+  end
+
+
+
+  #显示课程
+  def show_course(params,currnet_user)
     course = Course.find(params[:id])
+    unless (course.is_public == 1 ||  currnet_user.member_of_course?(@course)|| currnet_user.admin?)
+      raise '403'
+    end
     course
   end
 
@@ -128,7 +144,14 @@ class CoursesService
     @course
   end
 
-  #编辑课程
+  #验证编辑课程的权限
+  def edit_course_authorize(current_user,course)
+    unless current_user.allowed_to?({:controller => 'courses', :action => 'update'}, course)
+      raise '403'
+    end
+  end
+
+  #编辑课程  需验证权限
   def edit_course params,course
     course.safe_attributes = params[:course]
     course.time = params[:time]
diff --git a/app/services/users_service.rb b/app/services/users_service.rb
index d281edb19..928ae99ad 100644
--- a/app/services/users_service.rb
+++ b/app/services/users_service.rb
@@ -59,6 +59,7 @@ class UsersService
   end
 
   #编辑用户
+  #gender 1：female 0：male 其他：male
   def edit_user params
     @user = User.find(params[:id])
     fileio = params[:file]