diff --git a/conf/app.php b/conf/app.php
index 9dc8383..f1ba3f2 100644
--- a/conf/app.php
+++ b/conf/app.php
@@ -3,8 +3,8 @@
  * Config
  */
 $configs = array(
-    'version' => '0.4.1',
-    'releaseDate' => '2024-12-18',
+    'version' => '0.4.2',
+    'releaseDate' => '2024-12-20',
     'showVersion' => false,     //默认不显示版本号和发布日期
 
     'default_timezone' => 'Asia/Hong_Kong',      //timezone, check more: https://www.php.net/manual/en/timezones.asia.php
diff --git a/plugins/Common.php b/plugins/Common.php
index 540f56d..b7badb2 100644
--- a/plugins/Common.php
+++ b/plugins/Common.php
@@ -651,6 +651,34 @@ Class Common {
         return $authDirs;
     }
 
+    //判断当前文件是否允许访问
+    public static function isUserAllowedToFile($filepath) {
+        if( empty(FSC::$app['config']['password_auth']) ) {
+            return true;
+        }
+
+        $authConfig = FSC::$app['config']['password_auth'];
+        if (empty($authConfig['enable']) || $authConfig['enable'] === 'false') {
+            return true;
+        }
+
+        $allowed = true;
+
+        $filepath = preg_replace('/\/[^\/]+$/', '', $filepath);
+        $filepath = trim($filepath, '/');
+        $arr = explode('/', $filepath);
+        if (!empty($arr)) {
+            foreach($arr as $dir) {
+                $allowed = self::isUserAllowedToDir($dir);
+                if (!$allowed) {
+                    break;
+                }
+            }
+        }
+
+        return $allowed;
+    }
+
     //判断当前目录是否允许访问
     public static function isUserAllowedToDir($dir) {
         if( empty(FSC::$app['config']['password_auth']) ) {
diff --git a/themes/beauty/views/list/bydate.php b/themes/beauty/views/list/bydate.php
index db78000..f148c1a 100644
--- a/themes/beauty/views/list/bydate.php
+++ b/themes/beauty/views/list/bydate.php
@@ -297,12 +297,20 @@ eof;
                         $bigUrl = $file['path'];
                     }
 
+                    //权限检查
+                    $originUrl = $file['path'];
+                    $isAllowedToVisit = Common::isUserAllowedToFile($file['realpath']);
+                    if (!$isAllowedToVisit) {
+                        $smallUrl = '/img/beauty/lock-fill.svg';
+                        $bigUrl = $originUrl = '/img/beauty/lazy.svg';
+                    }
+
                     echo <<<eof
 <div class="im_item bor_radius col-xs-6 col-sm-4 col-md-3 col-lg-2">
     <a href="javascript:;" class="bor_radius" data-fancybox="gallery"
         data-src="{$bigUrl}"
         data-thumb="{$smallUrl}"
-        data-download-src="{$file['path']}"
+        data-download-src="{$originUrl}"
         data-download-filename="{$file['filename']}.{$file['extension']}"
         data-caption="{$title} - {$file['filename']}"
         data-pid="{$file['pid']}"
@@ -333,12 +341,26 @@ eof;
                         $linkUrl .= "&name=" . urlencode($file['filename']);
                     }
 
+                    //权限检查
+                    $linkTarget = '_blank';
+                    $videoCover = '/img/beauty/video_snap.jpg';
+                    $lockedAttr = '';
+                    $isAllowedToVisit = Common::isUserAllowedToFile($file['realpath']);
+                    if (!$isAllowedToVisit) {
+                        $linkUrl = 'javascript:;';
+                        $linkTarget = '_self';
+                        $videoCover = '/img/beauty/lock-fill.svg';
+                        $lockedAttr = 'data-lock="true"';
+                    }
+
                     echo <<<eof
 <div class="im_item bor_radius col-xs-6 col-sm-4 col-md-3 col-lg-2">
-    <a href="{$linkUrl}" target="_blank" class="bor_radius" title="{$title} - {$file['filename']}">
-        <img src="/img/beauty/video_snap.jpg" class="bor_radius im_img video-poster" id="poster_{$file['id']}"
+    <a href="{$linkUrl}" target="{$linkTarget}" class="bor_radius" title="{$title} - {$file['filename']}">
+        <img src="{$videoCover}" class="bor_radius im_img video-poster"
+            id="poster_{$file['id']}"
             data-video-id="{$file['id']}"
             data-video-url="{$file['path']}"
+            {$lockedAttr}
             alt="{$file['filename']}">
         <div class="im_img_title">
             <span class="right-bottom">
@@ -370,12 +392,24 @@ eof;
                         }
                     }
 
+                    //权限检查
+                    $linkTarget = '_blank';
+                    $lockedAttr = '';
+                    $isAllowedToVisit = Common::isUserAllowedToFile($file['realpath']);
+                    if (!$isAllowedToVisit) {
+                        $linkUrl = 'javascript:;';
+                        $linkTarget = '_self';
+                        $snapshot = '/img/beauty/lock-fill.svg';
+                        $lockedAttr = 'data-lock="true"';
+                    }
+
                     echo <<<eof
 <div class="im_item bor_radius col-xs-6 col-sm-4 col-md-3 col-lg-2 audio-list-item">
-    <a href="{$linkUrl}" target="_blank" class="bor_radius vercenter" title="{$title} - {$file['filename']}">
+    <a href="{$linkUrl}" target="{$linkTarget}" class="bor_radius vercenter" title="{$title} - {$file['filename']}">
         <img src="{$snapshot}" class="bor_radius im_img video-poster" id="poster_{$file['id']}"
             data-video-id="{$file['id']}"
             data-video-url="{$file['path']}"
+            {$lockedAttr}
             alt="{$file['filename']}">
         <span class="title">{$title}</span>
         <img src="/img/video-play.svg" class="playbtn hide" alt="video play button">
diff --git a/www/js/beauty.js b/www/js/beauty.js
index 5942917..5ad6501 100644
--- a/www/js/beauty.js
+++ b/www/js/beauty.js
@@ -595,8 +595,11 @@ var getVideoMetaAndShowIt = function(videoId, videoUrl) {
 
 $('.video-poster').each(function(index, el) {
     var videoId = $(el).attr('data-video-id'),
-        videoUrl = $(el).attr('data-video-url');
-    getVideoMetaAndShowIt(videoId, videoUrl);
+        videoUrl = $(el).attr('data-video-url'),
+        isLocked = $(el).attr('data-lock');
+    if (!isLocked) {
+        getVideoMetaAndShowIt(videoId, videoUrl);
+    }
 });
 
 //保存视频/音乐meta数据
@@ -781,8 +784,11 @@ if ($('#my-player').length > 0 && typeof(videojs) != 'undefined') {
                 setTimeout(function() {
                     $('.othervideos .video-poster').each(function(index, el) {
                         var videoId = $(el).attr('data-video-id'),
-                            videoUrl = $(el).attr('data-video-url');
-                        getVideoMetaAndShowIt(videoId, videoUrl);
+                            videoUrl = $(el).attr('data-video-url'),
+                            isLocked = $(el).attr('data-lock');
+                        if (!isLocked) {
+                            getVideoMetaAndShowIt(videoId, videoUrl);
+                        }
                     });
                 }, 50);
 
@@ -795,8 +801,11 @@ if ($('#my-player').length > 0 && typeof(videojs) != 'undefined') {
                 setTimeout(function() {
                     $('.othervideos .video-poster').each(function(index, el) {
                         var videoId = $(el).attr('data-video-id'),
-                            videoUrl = $(el).attr('data-video-url');
-                        getVideoMetaAndShowIt(videoId, videoUrl);
+                            videoUrl = $(el).attr('data-video-url'),
+                            isLocked = $(el).attr('data-lock');
+                        if (!isLocked) {
+                            getVideoMetaAndShowIt(videoId, videoUrl);
+                        };
                     });
                 }, 50);