diff --git a/routes/auth.py b/routes/auth.py
index d23d65c..2e0965a 100644
--- a/routes/auth.py
+++ b/routes/auth.py
@@ -2,7 +2,7 @@ from schemas.auth import Token
 from fastapi import APIRouter
 
 
-router = APIRouter(prefix="/api/auth", tags=["auth"])
+router = APIRouter(tags=["auth"])
 
 @router.post("/login", response_model=Token)
 async def login():
diff --git a/routes/users.py b/routes/users.py
index 5ebdcdb..4caf448 100644
--- a/routes/users.py
+++ b/routes/users.py
@@ -1,30 +1,61 @@
 from fastapi import APIRouter, Depends, HTTPException, status
-from fastapi.security import OAuth2PasswordBearer
 from typing import List, Optional
-from models.user import User
 from schemas.user import UserCreate, UserUpdate, UserResponse
 from services.auth import get_current_user
 
-router = APIRouter()
-
-oauth2_scheme = OAuth2PasswordBearer(tokenUrl="api/auth/login")
+router = APIRouter(tags=["users"])
 
 @router.get("/", response_model=List[UserResponse])
-async def get_users():
+async def get_users(
+    page: int = 1,
+    limit: int = 10,
+    role: Optional[str] = None,
+    current_user: UserResponse = Depends(get_current_user)
+):
+    if current_user.role not in ["system_admin", "admin"]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admin can access user list"
+        )
     # 实现获取用户列表逻辑
     pass
 
 @router.post("/", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
-async def create_user():
+async def create_user(
+    user_data: UserCreate,
+    current_user: UserResponse = Depends(get_current_user)
+):
+    if current_user.role not in ["system_admin", "admin"]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admin can create users"
+        )
     # 实现创建用户逻辑
     pass
 
 @router.put("/{user_id}", response_model=UserResponse)
-async def update_user():
+async def update_user(
+    user_id: int,
+    user_data: UserUpdate,
+    current_user: UserResponse = Depends(get_current_user)
+):
+    if current_user.role not in ["system_admin", "admin"]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admin can update users"
+        )
     # 实现更新用户逻辑
     pass
 
 @router.delete("/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
-async def delete_user():
+async def delete_user(
+    user_id: int,
+    current_user: UserResponse = Depends(get_current_user)
+):
+    if current_user.role not in ["system_admin", "admin"]:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only admin can delete users"
+        )
     # 实现删除用户逻辑
     pass