diff --git a/backend/src/main/java/io/metersphere/track/controller/IssuesController.java b/backend/src/main/java/io/metersphere/track/controller/IssuesController.java
index 6c0c7e095a..84744b8f88 100644
--- a/backend/src/main/java/io/metersphere/track/controller/IssuesController.java
+++ b/backend/src/main/java/io/metersphere/track/controller/IssuesController.java
@@ -7,6 +7,7 @@ import io.metersphere.base.domain.IssuesDao;
 import io.metersphere.base.domain.IssuesWithBLOBs;
 import io.metersphere.commons.constants.NoticeConstants;
 import io.metersphere.commons.constants.OperLogConstants;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.dto.IssueTemplateDao;
@@ -18,6 +19,7 @@ import io.metersphere.track.request.testcase.AuthUserIssueRequest;
 import io.metersphere.track.request.testcase.IssuesRequest;
 import io.metersphere.track.request.testcase.IssuesUpdateRequest;
 import io.metersphere.track.service.IssuesService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -31,18 +33,21 @@ public class IssuesController {
     private IssuesService issuesService;
 
     @PostMapping("/list/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
     public Pager<List<IssuesDao>> list(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody IssuesRequest request) {
         Page<List<Issues>> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, issuesService.list(request));
     }
 
     @PostMapping("/list/relate/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
     public Pager<List<IssuesDao>> relateList(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody IssuesRequest request) {
         Page<List<Issues>> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, issuesService.relateList(request));
     }
 
     @PostMapping("/add")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_CREATE)
     @MsAuditLog(module = "track_bug", type = OperLogConstants.CREATE, content = "#msClass.getLogDetails(#issuesRequest)", msClass = IssuesService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.DEFECT_TASK, target = "#issuesRequest",
             event = NoticeConstants.Event.CREATE, mailTemplate = "track/IssuesCreate", subject = "缺陷通知")
@@ -51,6 +56,7 @@ public class IssuesController {
     }
 
     @PostMapping("/update")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_EDIT)
     @MsAuditLog(module = "track_bug", type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#issuesRequest.id)", content = "#msClass.getLogDetails(#issuesRequest.id)", msClass = IssuesService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.DEFECT_TASK, target = "#issuesRequest",
             event = NoticeConstants.Event.UPDATE, mailTemplate = "track/IssuesUpdate", subject = "缺陷通知")
@@ -59,17 +65,20 @@ public class IssuesController {
     }
 
     @GetMapping("/get/case/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
     public List<IssuesDao> getIssues(@PathVariable String id) {
         return issuesService.getIssues(id);
     }
 
     @GetMapping("/get/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
     public IssuesWithBLOBs getIssue(@PathVariable String id) {
         return issuesService.getIssue(id);
     }
 
     @GetMapping("/plan/get/{planId}")
-    public List<IssuesDao> getIssuesByPlanoId(@PathVariable String planId) {
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
+    public List<IssuesDao> getIssuesByPlanId(@PathVariable String planId) {
         return issuesService.getIssuesByPlanoId(planId);
     }
 
@@ -89,6 +98,7 @@ public class IssuesController {
     }
 
     @PostMapping("/delete")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_DELETE)
     @MsAuditLog(module = "track_bug", type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#request.id)", msClass = IssuesService.class)
     public void deleteIssue(@RequestBody IssuesRequest request) {
         issuesService.deleteIssue(request);
diff --git a/backend/src/main/java/io/metersphere/track/controller/TestCaseReviewController.java b/backend/src/main/java/io/metersphere/track/controller/TestCaseReviewController.java
index dba9901a49..0709940b57 100644
--- a/backend/src/main/java/io/metersphere/track/controller/TestCaseReviewController.java
+++ b/backend/src/main/java/io/metersphere/track/controller/TestCaseReviewController.java
@@ -44,6 +44,7 @@ public class TestCaseReviewController {
     private TestCaseCommentService testCaseCommentService;
 
     @PostMapping("/list/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ)
     public Pager<List<TestCaseReviewDTO>> list(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryCaseReviewRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, testCaseReviewService.listCaseReview(request));
@@ -59,6 +60,7 @@ public class TestCaseReviewController {
     }
 
     @PostMapping("/project")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ)
     public List<Project> getProjectByReviewId(@RequestBody TestCaseReview request) {
         return testCaseReviewService.getProjectByReviewId(request);
     }
@@ -99,6 +101,7 @@ public class TestCaseReviewController {
     }
 
     @PostMapping("/list/all")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ)
     public List<TestCaseReview> listAll() {
         return testCaseReviewService.listCaseReviewAll();
     }
@@ -126,6 +129,7 @@ public class TestCaseReviewController {
 
 
     @GetMapping("/get/{reviewId}")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ)
     public TestCaseReview getTestReview(@PathVariable String reviewId) {
         checkPermissionService.checkTestReviewOwner(reviewId);
         return testCaseReviewService.getTestReview(reviewId);
diff --git a/backend/src/main/java/io/metersphere/track/controller/TestPlanController.java b/backend/src/main/java/io/metersphere/track/controller/TestPlanController.java
index a6b0db84de..2cf5e48f5c 100644
--- a/backend/src/main/java/io/metersphere/track/controller/TestPlanController.java
+++ b/backend/src/main/java/io/metersphere/track/controller/TestPlanController.java
@@ -71,6 +71,7 @@ public class TestPlanController {
     }
 
     @PostMapping("/list/all")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
     public List<TestPlan> listAll(@RequestBody QueryTestPlanRequest request) {
         return testPlanService.listTestAllPlan(request);
     }
@@ -87,6 +88,7 @@ public class TestPlanController {
     }
 
     @PostMapping("/get/{testPlanId}")
+    @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
     public TestPlan getTestPlan(@PathVariable String testPlanId) {
         checkPermissionService.checkTestPlanOwner(testPlanId);
         return testPlanService.getTestPlan(testPlanId);