diff --git a/http/http_funcs.go b/http/http_funcs.go
index 06b074f2..33b5cac3 100644
--- a/http/http_funcs.go
+++ b/http/http_funcs.go
@@ -225,6 +225,20 @@ func loginUsername(c *gin.Context) string {
 		username = headerUsername(c)
 	}
 
+	if username == "" {
+		remoteAddr := c.Request.RemoteAddr
+		idx := strings.LastIndex(remoteAddr, ":")
+		ip := ""
+		if idx > 0 {
+			ip = remoteAddr[0:idx]
+		}
+
+		if ip == "127.0.0.1" {
+			//本地调用都当成是root用户在调用
+			username = "root"
+		}
+	}
+
 	if username == "" {
 		ierr.Bomb(http.StatusUnauthorized, "unauthorized")
 	}
diff --git a/http/router.go b/http/router.go
index 1090913f..dc3f51b6 100644
--- a/http/router.go
+++ b/http/router.go
@@ -308,6 +308,9 @@ func configRoutes(r *gin.Engine) {
 		v1.POST("/tag-metrics", GetMetrics)
 		v1.POST("/tag-pairs", GetTagPairs)
 		v1.GET("/check-promql", checkPromeQl)
+
+		v1.GET("/can-do-op-by-name", login(), canDoOpByName)
+		v1.GET("/can-do-op-by-token", login(), canDoOpByToken)
 	}
 
 	push := r.Group("/v1/n9e/series").Use(gzip.Gzip(gzip.DefaultCompression))
diff --git a/http/router_auth.go b/http/router_auth.go
index bf2168ae..90a39496 100644
--- a/http/router_auth.go
+++ b/http/router_auth.go
@@ -56,3 +56,37 @@ func logoutGet(c *gin.Context) {
 	session.Save()
 	renderMessage(c, nil)
 }
+
+func canDoOpByName(c *gin.Context) {
+	user, err := models.UserGetByUsername(queryStr(c, "name"))
+	dangerous(err)
+
+	if user == nil {
+		renderData(c, false, err)
+		return
+	}
+
+	can, err := user.CanDo(queryStr(c, "op"))
+	renderData(c, can, err)
+}
+
+func canDoOpByToken(c *gin.Context) {
+	userToken, err := models.UserTokenGet("token=?", queryStr(c, "token"))
+	dangerous(err)
+
+	if userToken == nil {
+		renderData(c, false, err)
+		return
+	}
+
+	user, err := models.UserGetByUsername(userToken.Username)
+	dangerous(err)
+
+	if user == nil {
+		renderData(c, false, err)
+		return
+	}
+
+	can, err := user.CanDo(queryStr(c, "op"))
+	renderData(c, can, err)
+}