diff --git a/auth/auth.go b/auth/auth.go
index c3629b0..dcb3aff 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -413,9 +413,13 @@ func (a *appAuth) PermWithOwner(permissionID, ownerKey string) func(*vigo.X) err
 		orgID := getOrgID(x)
 
 		// 获取资源所有者ID
-		ownerID, _ := x.Get(ownerKey).(string)
+		// 优先从Path/Query获取，因为Context中的可能是登录用户ID
+		ownerID := x.PathParams.Get(ownerKey)
 		if ownerID == "" {
-			ownerID = x.PathParams.Get(ownerKey)
+			ownerID = x.Request.URL.Query().Get(ownerKey)
+		}
+		if ownerID == "" {
+			ownerID, _ = x.Get(ownerKey).(string)
 		}
 
 		// 如果是所有者，直接放行
diff --git a/cfg/cfg.go b/cfg/cfg.go
index c629920..1fcc375 100644
--- a/cfg/cfg.go
+++ b/cfg/cfg.go
@@ -69,7 +69,7 @@ var Config = &Options{
 	},
 	InitAdmin: InitAdminConfig{
 		Username: "admin",
-		Password: "123456", // 为空表示不自动创建，第一个注册用户成为 admin
+		Password: "", // 为空表示不自动创建，第一个注册用户成为 admin
 		Email:    "admin@example.com",
 	},
 }