diff --git a/apps/inm/views.py b/apps/inm/views.py
index ee22ad9c..8b182bf2 100644
--- a/apps/inm/views.py
+++ b/apps/inm/views.py
@@ -127,13 +127,22 @@ class MIOViewSet(CustomModelViewSet):
     def get_serializer_class(self):
         if self.action in ['create', 'update', 'partial_update']:
             type = self.request.data.get('type')
+            user = self.request.user
             if type in [MIO.MIO_TYPE_DO_IN, MIO.MIO_TYPE_DO_OUT]:
+                if not has_perm(user, ['mio.do']):
+                    raise PermissionDenied
                 return MIODoSerializer
             elif type in [MIO.MIO_TYPE_OTHER_IN, MIO.MIO_TYPE_OTHER_OUT]:
+                if not has_perm(user, ['mio.other']):
+                    raise PermissionDenied
                 return MIOOtherSerializer
             elif type == MIO.MIO_TYPE_SALE_OUT:
+                if not has_perm(user, ['mio.sale']):
+                    raise PermissionDenied
                 return MIOSaleSerializer
             elif type == MIO.MIO_TYPE_PUR_IN:
+                if not has_perm(user, ['mio.pur']):
+                    raise PermissionDenied
                 return MIOPurSerializer
         return self.serializer_class
 
@@ -177,7 +186,7 @@ class MIOItemViewSet(ListModelMixin, BulkCreateModelMixin, BulkDestroyModelMixin
     ordering = ['create_time']
 
     def perform_destroy(self, instance):
-        if instance.state != MIO.MIO_CREATE:
+        if instance.mio.state != MIO.MIO_CREATE:
             raise ParseError('出入库记录非创建中不可删除')
         if has_perm(self.request.user, ['mio.update']) is False and instance.mio.create_by != self.request.user:
             raise PermissionDenied('无权限删除')