diff --git a/src/plugin/admin/app/controller/AdminRuleController.php b/src/plugin/admin/app/controller/AdminRuleController.php
index 83b3471..8327918 100644
--- a/src/plugin/admin/app/controller/AdminRuleController.php
+++ b/src/plugin/admin/app/controller/AdminRuleController.php
@@ -19,7 +19,7 @@ class AdminRuleController extends Crud
      *
      * @var string[]
      */
-    public $noNeedAuth = ['get', 'permission'];
+    public $noNeedAuth = ['get', 'permissionCodes'];
 
     /**
      * @var AdminRule
@@ -104,33 +104,64 @@ class AdminRuleController extends Crud
      * @param Request $request
      * @return Response
      */
-    public function permission(Request $request): Response
+    public function permissionCodes(Request $request): Response
     {
         $rules = $this->getRules(admin('roles'));
         // 超级管理员
         if (in_array('*', $rules)) {
             return $this->json(0, 'ok', ['*']);
         }
-        $controller = $request->get('controller');
-        if (!$controller) {
-            return $this->json(0, 'ok', []);
-        }
-        // 获取详细权限
-        $controller_search = str_replace('\\', '\\\\', $controller);
-        $keys = AdminRule::where('key', 'like', "$controller_search%")
-            ->whereIn('id', $rules)->pluck('key');
+        $keys = AdminRule::whereIn('id', $rules)->pluck('key');
         $permissions = [];
-        $prefix_length = strlen($controller) + 1;
         foreach ($keys as $key) {
-            if ($key === $controller) {
-                $permissions = ['*'];
-                break;
+            $key = strtolower($key);
+            $action = '';
+            if (strpos($key, '@')) {
+                [$key, $action] = explode( '@', $key, 2);
+            }
+            $prefix = 'plugin';
+            $paths = explode('\\', $key);
+            if (count($paths) < 2) {
+                continue;
+            }
+            $base = '';
+            if (strpos($key, "$prefix\\") === 0) {
+                if (count($paths) < 4) {
+                    continue;
+                }
+                array_shift($paths);
+                $plugin = array_shift($paths);
+                $base = "app.$plugin.";
+            }
+            if ($code = $this->formatPermissionCode($paths, $action, $base)) {
+                $permissions[] = $code;
             }
-            $permissions[] = substr($key, $prefix_length);
         }
         return $this->json(0, 'ok', $permissions);
     }
 
+    /**
+     * @param $paths
+     * @param $action
+     * @param string $base
+     * @return false|string
+     */
+    protected function formatPermissionCode($paths, $action, string $base = '')
+    {
+        array_shift($paths);
+        foreach ($paths as $index => $path) {
+            if ($path === 'controller') {
+                unset($paths[$index]);
+            }
+        }
+        $suffix = 'controller';
+        $code = $base . implode('.', $paths);
+        if (substr($code, -strlen($suffix)) === $suffix) {
+            $code = substr($code, 0, -strlen($suffix));
+        }
+        return $action ? "$code.$action" : $code;
+    }
+
     /**
      * 根据类同步规则到数据库
      * @return void
diff --git a/src/plugin/admin/app/view/user/index.html b/src/plugin/admin/app/view/user/index.html
index 3e4151e..0674c8f 100644
--- a/src/plugin/admin/app/view/user/index.html
+++ b/src/plugin/admin/app/view/user/index.html
@@ -150,18 +150,18 @@
 
         <!-- 表格顶部工具栏 -->
         <script type="text/html" id="table-toolbar">
-            <button class="pear-btn pear-btn-primary pear-btn-md" lay-event="add" permission="insert">
+            <button class="pear-btn pear-btn-primary pear-btn-md" lay-event="add" permission="app.admin.user.insert">
                 <i class="layui-icon layui-icon-add-1"></i>新增
             </button>
-            <button class="pear-btn pear-btn-danger pear-btn-md" lay-event="batchRemove" permission="delete">
+            <button class="pear-btn pear-btn-danger pear-btn-md" lay-event="batchRemove" permission="app.admin.user.delete">
                 <i class="layui-icon layui-icon-delete"></i>删除
             </button>
         </script>
 
         <!-- 表格行工具栏 -->
         <script type="text/html" id="table-bar">
-            <button class="pear-btn pear-btn-xs tool-btn" lay-event="edit" permission="update">编辑</button>
-            <button class="pear-btn pear-btn-xs tool-btn" lay-event="remove" permission="delete">删除</button>
+            <button class="pear-btn pear-btn-xs tool-btn" lay-event="edit" permission="app.admin.user.update">编辑</button>
+            <button class="pear-btn pear-btn-xs tool-btn" lay-event="remove" permission="app.admin.user.delete">删除</button>
         </script>
 
         <script src="/app/admin/component/layui/layui.js"></script>
@@ -171,7 +171,7 @@
 
             // 相关常量
             const PRIMARY_KEY = "id";
-            const CONTROLLER = "plugin\\admin\\app\\controller\\UserController";
+            //const CONTROLLER = "plugin\\admin\\app\\controller\\UserController";
             const SELECT_API = "/app/admin/user/select";
             const UPDATE_API = "/app/admin/user/update";
             const DELETE_API = "/app/admin/user/delete";
diff --git a/src/plugin/admin/public/admin/js/common.js b/src/plugin/admin/public/admin/js/common.js
index 9b49f9d..cb8e909 100644
--- a/src/plugin/admin/public/admin/js/common.js
+++ b/src/plugin/admin/public/admin/js/common.js
@@ -36,22 +36,23 @@ function toggleSearchFormShow()
  * 获取控制器详细权限，并决定展示哪些按钮或dom元素
  */
 layui.$(function () {
-    if (typeof CONTROLLER === "undefined") return;
     let $ = layui.$;
     $.ajax({
-        url: "/app/admin/admin-rule/permission",
+        url: "/app/admin/admin-rule/permission-codes",
         dataType: "json",
-        data: {controller: CONTROLLER},
         success: function (res) {
             let style = '';
-            layui.each(res.data || [], function (k, action) {
-                if (action === '*') {
-                    style = '*[permission]{display: initial}';
-                    return;
-                }
-                style += '*[permission="'+action+'"]{display: initial}';
+            let codes = res.data || [];
+            // codes里有*，说明是超级管理员，拥有所有权限
+            if (codes.indexOf('*') !== -1) {
+                $("head").append("<style>*[permission]{display: initial}</style>");
+                return;
+            }
+            // 细分权限
+            layui.each(codes, function (k, code) {
+                codes[k] = '*[permission^="'+code+'"]';
             });
-            $("head").append("<style>"+style+"</style>");
+            $("head").append("<style>"+codes.join(",")+"{display: initial}</style>");
         }
     });
 });
