diff --git a/backend/src/main/java/com/xly/erp/modules/usr/controller/UsrUserController.java b/backend/src/main/java/com/xly/erp/modules/usr/controller/UsrUserController.java
new file mode 100644
index 0000000..ed243ca
--- /dev/null
+++ b/backend/src/main/java/com/xly/erp/modules/usr/controller/UsrUserController.java
@@ -0,0 +1,45 @@
+package com.xly.erp.modules.usr.controller;
+
+import com.xly.erp.common.exception.BusinessException;
+import com.xly.erp.common.response.Result;
+import com.xly.erp.common.response.ResultCode;
+import com.xly.erp.common.security.SecurityUtil;
+import com.xly.erp.modules.usr.dto.CreateUserDTO;
+import com.xly.erp.modules.usr.service.UsrUserService;
+import jakarta.validation.Valid;
+import java.util.Map;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * 用户管理 Controller(docs/04 § 1.2 / docs/05 REQ-USR-001)。
+ *
+ * 仅做参数校验 + 管理员权限前置 + 委派 Service,不写业务逻辑、不直接调 Mapper。
+ */
+@RestController
+@RequestMapping("/api/usr")
+public class UsrUserController {
+
+ /** 管理员判定口径(spec § 8 D2)。 */
+ private static final String ADMIN_USER_TYPE = "超级管理员";
+
+ private final UsrUserService usrUserService;
+
+ public UsrUserController(UsrUserService usrUserService) {
+ this.usrUserService = usrUserService;
+ }
+
+ /**
+ * 新增用户:仅超级管理员可调用(spec § 3.9,先于业务校验)。
+ */
+ @PostMapping("/users")
+ public Result> createUser(@Valid @RequestBody CreateUserDTO dto) {
+ if (!ADMIN_USER_TYPE.equals(SecurityUtil.currentUserType())) {
+ throw new BusinessException(ResultCode.FORBIDDEN);
+ }
+ Integer newId = usrUserService.createUser(dto);
+ return Result.success(Map.of("id", newId));
+ }
+}
diff --git a/backend/src/test/java/com/xly/erp/modules/usr/controller/UsrUserControllerTest.java b/backend/src/test/java/com/xly/erp/modules/usr/controller/UsrUserControllerTest.java
new file mode 100644
index 0000000..ca94211
--- /dev/null
+++ b/backend/src/test/java/com/xly/erp/modules/usr/controller/UsrUserControllerTest.java
@@ -0,0 +1,102 @@
+package com.xly.erp.modules.usr.controller;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.xly.erp.common.exception.GlobalExceptionHandler;
+import com.xly.erp.common.security.SecurityUtil;
+import com.xly.erp.modules.usr.dto.CreateUserDTO;
+import com.xly.erp.modules.usr.service.UsrUserService;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+/**
+ * REQ-USR-001 T7:UsrUserController 与管理员权限前置。
+ *
+ * 采用 MockMvc standaloneSetup 做 Controller 层单元测试(不加载 Spring 上下文,
+ * 避免 @MapperScan / Security 全量装配的切片摩擦),挂上真实 {@link GlobalExceptionHandler}
+ * 以验证 @Valid 失败转 40001、BusinessException 转 40301;UsrUserService 用 Mockito mock,
+ * 管理员判定通过 mock SecurityUtil 静态方法注入。
+ */
+class UsrUserControllerTest {
+
+ private final ObjectMapper objectMapper = new ObjectMapper();
+ private final UsrUserService usrUserService = Mockito.mock(UsrUserService.class);
+ private MockMvc mockMvc;
+ private MockedStatic securityUtilMock;
+
+ @BeforeEach
+ void setUp() {
+ UsrUserController controller = new UsrUserController(usrUserService);
+ mockMvc = MockMvcBuilders.standaloneSetup(controller)
+ .setControllerAdvice(new GlobalExceptionHandler())
+ .build();
+ securityUtilMock = Mockito.mockStatic(SecurityUtil.class);
+ }
+
+ @AfterEach
+ void tearDown() {
+ securityUtilMock.close();
+ }
+
+ private String validBody() throws Exception {
+ CreateUserDTO dto = new CreateUserDTO();
+ dto.setSUserName("good_user");
+ dto.setSLanguage("中文");
+ return objectMapper.writeValueAsString(dto);
+ }
+
+ @Test
+ void adminCreateReturnsCodeZeroWithId() throws Exception {
+ securityUtilMock.when(SecurityUtil::currentUserType).thenReturn("超级管理员");
+ when(usrUserService.createUser(any(CreateUserDTO.class))).thenReturn(101);
+
+ mockMvc.perform(post("/api/usr/users")
+ .contentType("application/json")
+ .content(validBody()))
+ .andExpect(status().isOk())
+ .andExpect(jsonPath("$.code").value(0))
+ .andExpect(jsonPath("$.data.id").value(101))
+ .andExpect(jsonPath("$.data.sPassword").doesNotExist())
+ .andExpect(jsonPath("$.data.password").doesNotExist());
+ }
+
+ @Test
+ void nonAdminReturns40301() throws Exception {
+ securityUtilMock.when(SecurityUtil::currentUserType).thenReturn("普通用户");
+
+ mockMvc.perform(post("/api/usr/users")
+ .contentType("application/json")
+ .content(validBody()))
+ .andExpect(status().isOk())
+ .andExpect(jsonPath("$.code").value(40301));
+ verify(usrUserService, never()).createUser(any(CreateUserDTO.class));
+ }
+
+ @Test
+ void invalidBodyReturns40001() throws Exception {
+ securityUtilMock.when(SecurityUtil::currentUserType).thenReturn("超级管理员");
+ CreateUserDTO dto = new CreateUserDTO();
+ dto.setSUserName("ab");
+ dto.setSLanguage("中文");
+ String body = objectMapper.writeValueAsString(dto);
+
+ mockMvc.perform(post("/api/usr/users")
+ .contentType("application/json")
+ .content(body))
+ .andExpect(status().isOk())
+ .andExpect(jsonPath("$.code").value(40001));
+ verify(usrUserService, never()).createUser(any(CreateUserDTO.class));
+ }
+}