diff --git a/tone-page-server/src/blog/blog.controller.ts b/tone-page-server/src/blog/blog.controller.ts
index 3b6d359..a7a9ae7 100644
--- a/tone-page-server/src/blog/blog.controller.ts
+++ b/tone-page-server/src/blog/blog.controller.ts
@@ -22,7 +22,7 @@ export class BlogController {
   constructor(
     private readonly blogService: BlogService,
     private readonly userService: UserService,
-  ) {}
+  ) { }
 
   @Get()
   getBlogs() {
@@ -71,6 +71,12 @@ export class BlogController {
     const blog = await this.blogService.findById(id);
     if (!blog) throw new BadRequestException('文章不存在');
 
+    /** @todo 对文章可读性进行更详细的判定 */
+
+    if (!blog.permissions.includes(BlogPermission.Public) && !blog.permissions.includes(BlogPermission.ByPassword)) {
+      throw new BadRequestException('文章不存在或未公开');
+    }
+
     return await this.blogService.getComments(id);
   }
 
@@ -87,6 +93,10 @@ export class BlogController {
     const blog = await this.blogService.findById(id);
     if (!blog) throw new BadRequestException('文章不存在');
 
+    if (!blog.permissions.includes(BlogPermission.AllowComments)) {
+      throw new BadRequestException('作者关闭了该文章的评论功能');
+    }
+
     const user = userId ? await this.userService.findById(userId) : null;
 
     const ip = req.headers['x-forwarded-for'] || req.ip;