diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index 99bc19fda..e0508efe8 100644
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -224,6 +224,7 @@ class AccountsController < ApplicationController
   def change_password 
     return render_error("两次输入的密码不一致") if params[:password].to_s != params[:new_password_repeat].to_s
     @user = User.find_by(login: params[:login])
+    return render_forbidden unless User.current.login == @user&.login
     return render_error("此用户禁止修改密码！") if @user.id.to_i === 104691
     return render_error("未找到相关用户!") if @user.blank?
     return render_error("旧密码不正确") unless @user.check_password?(params[:old_password])