diff --git a/src/app/api/room/[id]/reset/route.ts b/src/app/api/room/[id]/reset/route.ts
index 1570906..031ace1 100644
--- a/src/app/api/room/[id]/reset/route.ts
+++ b/src/app/api/room/[id]/reset/route.ts
@@ -1,22 +1,25 @@
 import { NextResponse } from "next/server";
 import { atomicUpdateRoom } from "@/lib/store";
 import { notify } from "@/lib/roomEvents";
-import { apiHandler, ApiError } from "@/lib/api";
+import { apiHandler, ApiError, requireUserId } from "@/lib/api";
 
 export const POST = apiHandler(async (req, { params }) => {
   const { id } = await params;
 
+  const body = await req.json().catch(() => ({}));
+  const userId = body?.userId;
+  requireUserId(userId);
+
   let restaurantIds: string[] | undefined;
-  try {
-    const body = await req.json().catch(() => null);
-    if (body?.restaurantIds && Array.isArray(body.restaurantIds)) {
-      restaurantIds = body.restaurantIds;
-    }
-  } catch {
-    // No body or invalid JSON — plain reset
+  if (body?.restaurantIds && Array.isArray(body.restaurantIds)) {
+    restaurantIds = body.restaurantIds;
   }
 
   const updated = await atomicUpdateRoom(id, (data) => {
+    if (!data.users.includes(userId) && data.creatorId !== userId) {
+      throw new ApiError("只有房间成员可以重置", 403);
+    }
+
     if (restaurantIds && restaurantIds.length > 0) {
       const idSet = new Set(restaurantIds);
       data.restaurants = data.restaurants.filter((r) => idSet.has(r.id));
diff --git a/src/app/api/room/[id]/swipe/route.ts b/src/app/api/room/[id]/swipe/route.ts
index bc5325c..879eb7a 100644
--- a/src/app/api/room/[id]/swipe/route.ts
+++ b/src/app/api/room/[id]/swipe/route.ts
@@ -15,6 +15,10 @@ export const POST = apiHandler(async (req, { params }) => {
   const rid = String(restaurantId);
 
   const updated = await atomicUpdateRoom(id, (data) => {
+    if (!data.users.includes(userId)) {
+      throw new ApiError("你不是该房间的成员", 403);
+    }
+
     const restaurantIndex = data.restaurants.findIndex((r) => r.id === rid);
     const alreadySwiped =
       restaurantIndex >= 0 &&
diff --git a/src/app/api/room/[id]/undo/route.ts b/src/app/api/room/[id]/undo/route.ts
index 92273a4..8b37b18 100644
--- a/src/app/api/room/[id]/undo/route.ts
+++ b/src/app/api/room/[id]/undo/route.ts
@@ -13,6 +13,10 @@ export const POST = apiHandler(async (req, { params }) => {
   const rid = String(restaurantId);
 
   const updated = await atomicUpdateRoom(id, (data) => {
+    if (!data.users.includes(userId)) {
+      throw new ApiError("你不是该房间的成员", 403);
+    }
+
     if (data.likes[rid]) {
       data.likes[rid] = data.likes[rid].filter((u) => u !== userId);
       if (data.likes[rid].length === 0) {
diff --git a/src/app/room/[id]/page.tsx b/src/app/room/[id]/page.tsx
index f2e9f69..0bdc340 100644
--- a/src/app/room/[id]/page.tsx
+++ b/src/app/room/[id]/page.tsx
@@ -74,18 +74,22 @@ export default function RoomPage() {
   }, []);
 
   const handleReset = useCallback(async () => {
-    await fetch(`/api/room/${roomId}/reset`, { method: "POST" });
+    await fetch(`/api/room/${roomId}/reset`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ userId }),
+    });
     await mutate();
-  }, [roomId, mutate]);
+  }, [roomId, userId, mutate]);
 
   const handleNarrow = useCallback(async (restaurantIds: string[]) => {
     await fetch(`/api/room/${roomId}/reset`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ restaurantIds }),
+      body: JSON.stringify({ userId, restaurantIds }),
     });
     await mutate();
-  }, [roomId, mutate]);
+  }, [roomId, userId, mutate]);
 
   if (notFound || joinFailed) {
     return (