diff --git a/backend/middleware/auth_middleware.py b/backend/middleware/auth_middleware.py
index 5e3cce7..e2413d2 100644
--- a/backend/middleware/auth_middleware.py
+++ b/backend/middleware/auth_middleware.py
@@ -29,8 +29,6 @@ PUBLIC_PATHS = [
     r'^/$',
     r'^/health$',
     r'^/api/auth/login$',
-    r'^/api/auth/logout$',
-    r'^/api/config/deduction-rules$',
 ]
 def is_public_path(path: str) -> bool:
     """检查是否为公开路径"""
diff --git a/backend/routes/admin.py b/backend/routes/admin.py
index 874b3b8..8e3797d 100644
--- a/backend/routes/admin.py
+++ b/backend/routes/admin.py
@@ -125,7 +125,8 @@ async def add_student(request: Request, req: AddStudentRequest):
         name=req.name,
         parent_phone=req.parent_phone,
         operator_id=user["user_id"],
-        initial_points=60
+        initial_points=60,
+        dormitory_number=req.dormitory_number
     )
     if result["success"]:
         await LogService.write_operation_log(
diff --git a/backend/services/auth_service.py b/backend/services/auth_service.py
index 109bfc4..a010ec9 100644
--- a/backend/services/auth_service.py
+++ b/backend/services/auth_service.py
@@ -123,8 +123,16 @@ class AuthService:
         if not user:
             return {"success": False, "message": "用户不存在"}
         
-        # 验证原密码（强制改密时跳过）
-        if not force:
+        # 验证原密码
+        # force=True 仅在 need_change_password=1 时允许（首次登录强制改密）
+        # 其他情况必须验证旧密码
+        if force and user.get("need_change_password") == 1:
+            # 首次登录强制改密，跳过旧密码验证
+            pass
+        else:
+            # 正常改密，必须验证旧密码
+            if not old_password:
+                return {"success": False, "message": "请输入原密码"}
             is_valid, _ = security.verify_password_v2(old_password, user["password_hash"])
             if not is_valid:
                 return {"success": False, "message": "原密码错误"}