diff --git a/controllers/session.js b/controllers/session.js
index e85b85f..2c2afe4 100644
--- a/controllers/session.js
+++ b/controllers/session.js
@@ -18,7 +18,7 @@ const login = async (ctx) => {
     ctx.throw(400, 'Wrong password')
   }
 
-  ctx.session.profile = only(user, 'uid nick privilege')
+  ctx.session.profile = only(user, 'uid nick privilege pwd')
   ctx.session.profile.verifyContest = []
   ctx.body = {
     profile: ctx.session.profile,
diff --git a/controllers/user.js b/controllers/user.js
index 09b2ff2..b8986b7 100644
--- a/controllers/user.js
+++ b/controllers/user.js
@@ -115,7 +115,9 @@ const update = async (ctx) => {
       user[field] = opt[field]
     }
   })
-  if (!isUndefined(opt.privilege)) {
+  if (!isUndefined(opt.privilege) && opt.privilege !== user.privilege) {
+    if (!isRoot(ctx.session.profile))
+      ctx.throw(400, 'You do not have permission to change the privilege!')
     user.privilege = Number.parseInt(opt.privilege)
   }
   if (opt.newPwd) {
diff --git a/services/node-0/judger.js b/services/node-0/judger.js
index c27c599..c9b58f8 100644
--- a/services/node-0/judger.js
+++ b/services/node-0/judger.js
@@ -24,7 +24,7 @@ const logger = require('../../utils/logger')
 const config = require('../../config')
 const redis = require('../../config/redis')
 
-const extensions = [ '', 'c', 'cpp', 'java' ]
+const extensions = ['', 'c', 'cpp', 'java', 'py']
 
 // 转化代码
 // 因为判题端各数字表示的含义与 OJ 默认的不同，因此需要做一次转化
diff --git a/utils/middlewares.js b/utils/middlewares.js
index 2aad347..83c4139 100644
--- a/utils/middlewares.js
+++ b/utils/middlewares.js
@@ -1,8 +1,19 @@
 const { RateLimit } = require('koa2-ratelimit')
 const { isAdmin, isRoot } = require('./helper')
+const User = require('../models/User')
 
 const login = async (ctx, next) => {
-  if (!ctx.session || ctx.session.profile == null) { ctx.throw(401, 'Login required') }
+  if (!ctx.session || ctx.session.profile == null) {
+    delete ctx.session.profile
+    ctx.throw(401, 'Login required')
+  }
+  const user = await User.findOne({ uid: ctx.session.profile.uid }).exec()
+  if (user == null || user.pwd !== ctx.session.profile.pwd) {
+    delete ctx.session.profile
+    ctx.throw(401, 'Login required')
+  }
+  if (user.privilege !== ctx.session.profile.privilege)
+    ctx.session.profile.privilege = user.privilege
   await next()
 }