diff --git a/backend/src/main/java/com/xly/erp/module/usr/service/impl/UserServiceImpl.java b/backend/src/main/java/com/xly/erp/module/usr/service/impl/UserServiceImpl.java
index 4a61f6d..b453fc1 100644
--- a/backend/src/main/java/com/xly/erp/module/usr/service/impl/UserServiceImpl.java
+++ b/backend/src/main/java/com/xly/erp/module/usr/service/impl/UserServiceImpl.java
@@ -57,6 +57,23 @@ public class UserServiceImpl implements UserService {
 
     @Override
     public Map<String, Object> create(CreateUserDTO dto) {
+        if (!USER_TYPES.contains(dto.getSUserType())) {
+            throw new BizException(40001, "sUserType: 取值非法");
+        }
+        if (!LANGUAGES.contains(dto.getSLanguage())) {
+            throw new BizException(40001, "sLanguage: 取值非法");
+        }
+        if (dto.getIStaffId() != null && !staffMapper.existsActiveById(dto.getIStaffId())) {
+            throw new BizException(40022, "职员不存在或已删除");
+        }
+        List<Integer> ids = dto.getPermissionCategoryIds();
+        if (ids != null && !ids.isEmpty()) {
+            int found = permissionCategoryMapper.countActiveByIds(ids);
+            if (found != ids.size()) {
+                throw new BizException(40023, "权限分类含无效 id");
+            }
+        }
+
         User entity = new User();
         entity.setSBrandsId(tenant.getBrandsId());
         entity.setSSubsidiaryId(tenant.getSubsidiaryId());
@@ -73,9 +90,12 @@ public class UserServiceImpl implements UserService {
         entity.setSCreatedBy(createdBy);
         entity.setBDeleted(false);
 
-        userMapper.insert(entity);
+        try {
+            userMapper.insert(entity);
+        } catch (DuplicateKeyException e) {
+            throw new BizException(40020, "用户号或用户名已存在");
+        }
 
-        List<Integer> ids = dto.getPermissionCategoryIds();
         if (ids != null && !ids.isEmpty()) {
             for (Integer cid : ids) {
                 UserPermission rel = new UserPermission();
diff --git a/backend/src/test/java/com/xly/erp/module/usr/service/UserServiceImplTest.java b/backend/src/test/java/com/xly/erp/module/usr/service/UserServiceImplTest.java
index b89887b..ea4f9fa 100644
--- a/backend/src/test/java/com/xly/erp/module/usr/service/UserServiceImplTest.java
+++ b/backend/src/test/java/com/xly/erp/module/usr/service/UserServiceImplTest.java
@@ -115,6 +115,71 @@ class UserServiceImplTest {
         verify(userPermissionMapper, never()).insert(any(UserPermission.class));
     }
 
+    @Test
+    void createWithInvalidUserType_throws40001() {
+        CreateUserDTO dto = baseDto();
+        dto.setSUserType("火星");
+        assertThatThrownBy(() -> service.create(dto))
+                .isInstanceOf(BizException.class)
+                .hasFieldOrPropertyWithValue("code", 40001);
+        verify(userMapper, never()).insert(any(User.class));
+    }
+
+    @Test
+    void createWithInvalidLanguage_throws40001() {
+        CreateUserDTO dto = baseDto();
+        dto.setSLanguage("ja");
+        assertThatThrownBy(() -> service.create(dto))
+                .isInstanceOf(BizException.class)
+                .hasFieldOrPropertyWithValue("code", 40001);
+        verify(userMapper, never()).insert(any(User.class));
+    }
+
+    @Test
+    void createWithStaffNotFound_throws40022() {
+        when(staffMapper.existsActiveById(99)).thenReturn(false);
+        CreateUserDTO dto = baseDto();
+        dto.setIStaffId(99);
+        assertThatThrownBy(() -> service.create(dto))
+                .isInstanceOf(BizException.class)
+                .hasFieldOrPropertyWithValue("code", 40022);
+        verify(userMapper, never()).insert(any(User.class));
+    }
+
+    @Test
+    void createWithSomeInvalidPermissionIds_throws40023() {
+        when(permissionCategoryMapper.countActiveByIds(List.of(1, 2, 3))).thenReturn(2);
+        CreateUserDTO dto = baseDto();
+        dto.setPermissionCategoryIds(List.of(1, 2, 3));
+        assertThatThrownBy(() -> service.create(dto))
+                .isInstanceOf(BizException.class)
+                .hasFieldOrPropertyWithValue("code", 40023);
+        verify(userMapper, never()).insert(any(User.class));
+    }
+
+    @Test
+    void createWithDuplicateUserNo_throws40020() {
+        when(userMapper.insert(any(User.class)))
+                .thenThrow(new DuplicateKeyException("uk_user_no"));
+        CreateUserDTO dto = baseDto();
+        assertThatThrownBy(() -> service.create(dto))
+                .isInstanceOf(BizException.class)
+                .hasFieldOrPropertyWithValue("code", 40020);
+    }
+
+    @Test
+    void createUsesAuthenticatedUserNoAsCreatedBy() {
+        SecurityContextHolder.getContext().setAuthentication(
+                new UsernamePasswordAuthenticationToken("ALICE", null, Collections.emptyList()));
+        CreateUserDTO dto = baseDto();
+
+        service.create(dto);
+
+        ArgumentCaptor<User> cap = ArgumentCaptor.forClass(User.class);
+        verify(userMapper).insert(cap.capture());
+        assertThat(cap.getValue().getSCreatedBy()).isEqualTo("ALICE");
+    }
+
     private CreateUserDTO baseDto() {
         CreateUserDTO dto = new CreateUserDTO();
         dto.setSUserNo("u001");