diff --git a/server/internal/library/hgorm/handler/filter_auth.go b/server/internal/library/hgorm/handler/filter_auth.go
index 30a7fc7..ada533f 100644
--- a/server/internal/library/hgorm/handler/filter_auth.go
+++ b/server/internal/library/hgorm/handler/filter_auth.go
@@ -63,17 +63,23 @@ func FilterAuthWithField(filterField string) func(m *gdb.Model) *gdb.Model {
 			g.Log().Panic(ctx, "failed to role information roleModel == nil")
 		}
 
-		sq := g.Model("admin_member").Fields("id")
+		getDeptIds := func(in interface{}) []gdb.Value {
+			ds, err := g.Model("admin_member").Fields("id").Where("dept_id", in).Array()
+			if err != nil {
+				g.Log().Panic(ctx, "failed to get member dept data")
+			}
+			return ds
+		}
 
 		switch role.DataScope {
 		case consts.RoleDataAll: // 全部权限
 			// ...
 		case consts.RoleDataNowDept: // 当前部门
-			m = m.WhereIn(filterField, sq.Where("dept_id", co.User.DeptId))
-		case consts.RoleDataDeptAndSub: // 当前部门及以下部门
-			m = m.WhereIn(filterField, sq.WhereIn("dept_id", GetDeptAndSub(co.User.DeptId)))
+			m = m.WhereIn(filterField, getDeptIds(co.User.DeptId))
+		case consts.RoleDataDeptAndSub: // 当前部门及以下部门ds
+			m = m.WhereIn(filterField, getDeptIds(GetDeptAndSub(co.User.DeptId)))
 		case consts.RoleDataDeptCustom: // 自定义部门
-			m = m.WhereIn(filterField, sq.WhereIn("dept_id", role.CustomDept.Var().Ints()))
+			m = m.WhereIn(filterField, getDeptIds(role.CustomDept.Var().Ints()))
 		case consts.RoleDataSelf: // 仅自己
 			m = m.Where(filterField, co.User.Id)
 		case consts.RoleDataSelfAndSub: // 自己和直属下级
diff --git a/server/internal/logic/admin/dept.go b/server/internal/logic/admin/dept.go
index 15c3485..606b5f0 100644
--- a/server/internal/logic/admin/dept.go
+++ b/server/internal/logic/admin/dept.go
@@ -351,7 +351,7 @@ func (s *sAdminDept) VerifyDeptId(ctx context.Context, id int64) (err error) {
 	// 非超管只获取下级
 	if !service.AdminMember().VerifySuperId(ctx, mb.Id) {
 		pid = mb.DeptId
-		mod = mod.WhereLike(dao.AdminDept.Columns().Tree, "%"+tree.GetIdLabel(pid)+"%")
+		mod = mod.WhereNot(dao.AdminDept.Columns().Id, pid).WhereLike(dao.AdminDept.Columns().Tree, "%"+tree.GetIdLabel(pid)+"%")
 	}
 
 	columns, err := mod.Array()
diff --git a/server/internal/logic/admin/role.go b/server/internal/logic/admin/role.go
index 5537630..25fb82a 100644
--- a/server/internal/logic/admin/role.go
+++ b/server/internal/logic/admin/role.go
@@ -327,7 +327,7 @@ func (s *sAdminRole) VerifyRoleId(ctx context.Context, id int64) (err error) {
 	// 非超管只获取下级
 	if !service.AdminMember().VerifySuperId(ctx, mb.Id) {
 		pid = mb.RoleId
-		mod = mod.WhereLike(dao.AdminRole.Columns().Tree, "%"+tree.GetIdLabel(pid)+"%")
+		mod = mod.WhereNot(dao.AdminRole.Columns().Id, pid).WhereLike(dao.AdminRole.Columns().Tree, "%"+tree.GetIdLabel(pid)+"%")
 	}
 
 	columns, err := mod.Array()