diff --git a/http/controller/admin/login.go b/http/controller/admin/login.go
index f18f348..9c0bb8a 100644
--- a/http/controller/admin/login.go
+++ b/http/controller/admin/login.go
@@ -182,15 +182,20 @@ func (ct *Login) Login(c *gin.Context) {
 		global.Logger.Warn(fmt.Sprintf("Login Fail: %s %s %s", "UsernameOrPasswordError", c.RemoteIP(), clientIp))
 		loginLimiter.RecordFailure(clientIp)
 		if loginLimiter.NeedsCaptcha(clientIp) {
-			// 移除原验证码，重新生成
 			loginLimiter.RemoveCaptcha(clientIp)
-			response.Fail(c, 110, response.TranslateMsg(c, "UsernameOrPasswordError"))
-			return
 		}
 		response.Fail(c, 101, response.TranslateMsg(c, "UsernameOrPasswordError"))
 		return
 	}
 
+	if !service.AllService.UserService.CheckUserEnable(u) {
+		if loginLimiter.NeedsCaptcha(clientIp) {
+			loginLimiter.RemoveCaptcha(clientIp)
+		}
+		response.Fail(c, 101, response.TranslateMsg(c, "UserDisabled"))
+		return
+	}
+
 	ut := service.AllService.UserService.Login(u, &model.LoginLog{
 		UserId:   u.Id,
 		Client:   model.LoginLogClientWebAdmin,
diff --git a/http/controller/api/login.go b/http/controller/api/login.go
index 4fbb46c..c932caa 100644
--- a/http/controller/api/login.go
+++ b/http/controller/api/login.go
@@ -51,6 +51,11 @@ func (l *Login) Login(c *gin.Context) {
 		return
 	}
 
+	if !service.AllService.UserService.CheckUserEnable(u) {
+		response.Error(c, response.TranslateMsg(c, "UserDisabled"))
+		return
+	}
+
 	//根据refer判断是webclient还是app
 	ref := c.GetHeader("referer")
 	if ref != "" {
diff --git a/http/middleware/admin.go b/http/middleware/admin.go
index fec4974..15d49b0 100644
--- a/http/middleware/admin.go
+++ b/http/middleware/admin.go
@@ -24,6 +24,14 @@ func AdminAuth() gin.HandlerFunc {
 			return
 		}
 
+		if !service.AllService.UserService.CheckUserEnable(user) {
+			c.JSON(401, gin.H{
+				"error": "Unauthorized",
+			})
+			c.Abort()
+			return
+		}
+
 		c.Set("curUser", user)
 		c.Set("token", token)
 		//如果时间小于1天,token自动续期