diff --git a/api/v1/views/approve_request.py b/api/v1/views/approve_request.py
index 916a4a399..f4ff783ee 100644
--- a/api/v1/views/approve_request.py
+++ b/api/v1/views/approve_request.py
@@ -31,7 +31,7 @@ def approve_request_list(
     request, tenant_id: str, package: str = "", is_approved: str = ""
 ):
     tenant = request.tenant
-    requests = ApproveRequest.valid_objects.filter(user__tenant=tenant)
+    requests = ApproveRequest.valid_objects.filter(tenant=tenant)
     if package:
         requests = requests.filter(action__extension__package=package)
     if is_approved == "true":
diff --git a/api/v1/views/mine.py b/api/v1/views/mine.py
index 761b581c9..5c2ed7d4a 100644
--- a/api/v1/views/mine.py
+++ b/api/v1/views/mine.py
@@ -147,7 +147,7 @@ def get_mine_approve_requests(
 ):
     """我的审批列表"""
     tenant = request.tenant
-    requests = ApproveRequest.valid_objects.filter(user=request.user)
+    requests = ApproveRequest.valid_objects.filter(user=request.user, tenant=tenant)
     if package:
         requests = requests.filter(action__extension__package=package)
     if is_approved == "true":
diff --git a/arkid/core/api.py b/arkid/core/api.py
index eb7a948d9..1912ba2ca 100644
--- a/arkid/core/api.py
+++ b/arkid/core/api.py
@@ -107,6 +107,16 @@ def authenticate(self, request, token, app_id, app_secret):
                 if not token:
                     token = ExpiringToken.objects.create(user=request.user, token=generate_token())
                 tenant = request.tenant
+                # 获取操作id查询用户权限
+                operation_id = request.operation_id
+                if operation_id:
+                    from arkid.core.perm.permission_data import PermissionData
+                    permissiondata = PermissionData()
+                    if token.user and tenant:
+                        result = permissiondata.api_system_permission_check(request.tenant, token.user, operation_id)
+                        if result is False:
+                            raise HttpError(403, _('You do not have api permission','你没有这个接口的权限'))
+                return token
             else:
                 if token:
                     # 使用传统的token访问
diff --git a/arkid/core/approve.py b/arkid/core/approve.py
index 1680de5b4..eb0fe9f5d 100644
--- a/arkid/core/approve.py
+++ b/arkid/core/approve.py
@@ -30,6 +30,7 @@ def restore_approve_request(approve_request):
 def create_approve_request(http_request, user, approve_action):
 
     environ = http_request.environ
+    tenant = http_request.tenant
     environ.pop("wsgi.input")
     environ.pop("wsgi.errors")
     environ.pop("wsgi.file_wrapper")
@@ -44,6 +45,7 @@ def create_approve_request(http_request, user, approve_action):
 
     approve_request = ApproveRequest.valid_objects.create(
         action=approve_action,
+        tenant=tenant,
         user=user,
         environ=environ,
         body=http_request.body,
diff --git a/arkid/core/migrations/0028_approverequest_tenant.py b/arkid/core/migrations/0028_approverequest_tenant.py
new file mode 100644
index 000000000..447b12796
--- /dev/null
+++ b/arkid/core/migrations/0028_approverequest_tenant.py
@@ -0,0 +1,19 @@
+# Generated by Django 4.0.6 on 2022-09-16 03:42
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0027_app_arkstore_category_id'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='approverequest',
+            name='tenant',
+            field=models.ForeignKey(default=None, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='approve_request_set', related_query_name='requests', to='core.tenant', verbose_name='Tenant'),
+        ),
+    ]
diff --git a/arkid/core/models.py b/arkid/core/models.py
index f8c5574d6..61e18c9e5 100644
--- a/arkid/core/models.py
+++ b/arkid/core/models.py
@@ -609,6 +609,16 @@ class Meta(object):
         related_query_name="requests",
     )
 
+    tenant = models.ForeignKey(
+        'Tenant',
+        default=None,
+        null=True,
+        on_delete=models.CASCADE,
+        verbose_name=_('Tenant', '租户'),
+        related_name="approve_request_set",
+        related_query_name="requests",
+    )
+
     action = models.ForeignKey(
         'ApproveAction',
         default=None,
diff --git a/extension_root/com_longgui_approve_system_arkid/__init__.py b/extension_root/com_longgui_approve_system_arkid/__init__.py
index 2d1ca1731..fa37078ba 100644
--- a/extension_root/com_longgui_approve_system_arkid/__init__.py
+++ b/extension_root/com_longgui_approve_system_arkid/__init__.py
@@ -54,7 +54,7 @@ def list_tenant_approve_requests(
     ):
         package = 'com.longgui.approve.system.arkid'
         requests = ApproveRequest.valid_objects.filter(
-            user__tenant=request.tenant, action__extension__package=package
+            tenant=request.tenant, action__extension__package=package
         )
         if is_approved == 'true':
             requests = requests.exclude(status="wait")