diff --git a/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectController.java b/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectController.java
index 03e4365..8893a27 100644
--- a/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectController.java
+++ b/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectController.java
@@ -253,7 +253,15 @@ public class UserProjectController {
      * @param key
      */
     @GetMapping("/user/project/details/{key}")
-    public Result queryProjectDetails(@PathVariable @NotBlank String key) {
+    public Result queryProjectDetails(@PathVariable @NotBlank String key,
+                                      @RequestParam(value = "access_key", required = true) String accessKey,
+                                      @RequestHeader(value = "userId", required = true) String userId) {
+        // 先校验有没有访问该问卷的权限
+        String accessKeyFromCache = (String) redisUtils.get(String.format("epmet:questionnaire:accesskey:%s:%s", userId, key));
+        if (StringUtils.isBlank(accessKeyFromCache) || !accessKeyFromCache.equals(accessKey)) {
+            throw new RuntimeException("您没有访问权限");
+        }
+
         UserProjectEntity project = projectService.getByKey(key);
         List<UserProjectItemEntity> projectItemList = projectItemService.listByProjectKey(key);
         UserProjectThemeVo themeVo = userProjectThemeService.getUserProjectDetails(key);
diff --git a/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectResultController.java b/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectResultController.java
index 9adfc2a..297fd2e 100644
--- a/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectResultController.java
+++ b/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UserProjectResultController.java
@@ -27,6 +27,7 @@ import com.tduck.cloud.project.vo.ExportProjectResultVO;
 import com.tduck.cloud.wx.mp.service.WxMpUserMsgService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.ServletOutputStream;
@@ -75,12 +76,21 @@ public class UserProjectResultController {
      *
      * @param entity
      * @param request
+     * @param accessKey 访问key，当前用户是否允许填写问卷
      * @return
      */
     @NoRepeatSubmit
     @PostMapping("/create")
-    public Result createProjectResult(@RequestBody UserProjectResultEntity entity, @RequestAttribute String userId, HttpServletRequest request) {
+    public Result createProjectResult(@RequestBody UserProjectResultEntity entity, @RequestAttribute String userId, HttpServletRequest request,
+                                      @RequestParam(value = "access_key", required = true) String accessKey) {
         ValidatorUtils.validateEntity(entity);
+
+        // 先校验有没有访问该问卷的权限
+        String accessKeyFromCache = (String) redisUtils.get(String.format("epmet:questionnaire:accesskey:%s:%s", userId, entity.getProjectKey()));
+        if (StringUtils.isBlank(accessKeyFromCache) || !accessKeyFromCache.equals(accessKey)) {
+            throw new RuntimeException("您没有访问权限");
+        }
+
         entity.setUserId(userId);
         entity.setSubmitRequestIp(HttpUtils.getIpAddr(request));
         Result<UserProjectSettingEntity> userProjectSettingStatus = userProjectSettingService.getUserProjectSettingStatus(entity.getProjectKey(), entity.getSubmitRequestIp(), entity.getWxOpenId());