diff --git a/app/Http/Middleware/LockUpdatePage.php b/app/Http/Middleware/LockUpdatePage.php
new file mode 100644
index 00000000..634399e9
--- /dev/null
+++ b/app/Http/Middleware/LockUpdatePage.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use App\Models\User;
+
+class LockUpdatePage
+{
+    public function handle($request, Closure $next)
+    {
+        abort_if($request->user()->permission < User::SUPER_ADMIN, 503);
+        return $next($request);
+    }
+}
diff --git a/resources/misc/changelogs/en/4.3.0.md b/resources/misc/changelogs/en/4.3.0.md
index 5540dafd..9ecaa147 100644
--- a/resources/misc/changelogs/en/4.3.0.md
+++ b/resources/misc/changelogs/en/4.3.0.md
@@ -15,6 +15,7 @@
 - Tweaked style of chart at administration panel.
 - Optimized panel of changing theme color.
 - Tweaked some links at closet page.
+- Limited that only super administrators can visit update pages.
 
 ## Fixed
 
diff --git a/resources/misc/changelogs/zh_CN/4.3.0.md b/resources/misc/changelogs/zh_CN/4.3.0.md
index 33e44dd7..e706c2a8 100644
--- a/resources/misc/changelogs/zh_CN/4.3.0.md
+++ b/resources/misc/changelogs/zh_CN/4.3.0.md
@@ -15,6 +15,7 @@
 - 调整管理面板中的图表样式
 - 优化「更改配色」的面板
 - 调整衣柜页面上的某些链接
+- 限制仅超级管理员才能访问升级页面
 
 ## 修复
 
diff --git a/routes/setup.php b/routes/setup.php
index 24b1f54a..c7556f32 100644
--- a/routes/setup.php
+++ b/routes/setup.php
@@ -21,6 +21,8 @@ Route::group(['middleware' => 'setup'], function () {
     Route::post('/finish', 'SetupController@finish');
 });
 
-Route::any('/update', 'SetupController@update');
-Route::any('/exec-update', 'SetupController@doUpdate');
-Route::view('/changelog', 'setup.updates.changelog');
+Route::group(['middleware' => ['authorize', App\Http\Middleware\LockUpdatePage::class]], function () {
+    Route::any('/update', 'SetupController@update');
+    Route::any('/exec-update', 'SetupController@doUpdate');
+    Route::view('/changelog', 'setup.updates.changelog');
+});
diff --git a/tests/MiddlewareTest.php b/tests/MiddlewareTest.php
index 8d17c261..1ed878cc 100644
--- a/tests/MiddlewareTest.php
+++ b/tests/MiddlewareTest.php
@@ -210,4 +210,10 @@ class MiddlewareTest extends TestCase
         $this->get('/', ['user-agent' => 'MSIE'])->assertSee(trans('errors.http.ie'));
         $this->get('/', ['user-agent' => 'Trident'])->assertSee(trans('errors.http.ie'));
     }
+
+    public function testLockUpdatePage()
+    {
+        $this->actAs('admin')->get('/setup/changelog')->assertStatus(503);
+        $this->actAs('superAdmin')->get('/setup/changelog')->assertStatus(200);
+    }
 }
diff --git a/tests/SetupControllerTest.php b/tests/SetupControllerTest.php
index f6bc540f..db339af9 100644
--- a/tests/SetupControllerTest.php
+++ b/tests/SetupControllerTest.php
@@ -18,12 +18,6 @@ class SetupControllerTest extends TestCase
 {
     use DatabaseTransactions;
 
-    protected function setUp(): void
-    {
-        parent::setUp();
-        $this->dropAllTables();
-    }
-
     protected function tearDown(): void
     {
         $this->dropAllTables();
@@ -57,11 +51,13 @@ class SetupControllerTest extends TestCase
 
     public function testWelcome()
     {
+        $this->dropAllTables();
         $this->get('/setup')->assertViewIs('setup.wizard.welcome');
     }
 
     public function testDatabase()
     {
+        $this->dropAllTables();
         $fake = [
             'type' => env('DB_CONNECTION'),
             'host' => env('DB_HOST'),
@@ -80,6 +76,7 @@ class SetupControllerTest extends TestCase
 
     public function testReportDatabaseConnectionError()
     {
+        $this->dropAllTables();
         $this->post('/setup/database', ['type' => 'sqlite', 'host' => 'placeholder', 'db' => 'test'])
             ->assertSee(trans('setup.database.connection-error', [
                 'type' => 'SQLite',
@@ -89,6 +86,7 @@ class SetupControllerTest extends TestCase
 
     public function testInfo()
     {
+        $this->dropAllTables();
         $this->get('/setup/info')->assertViewIs('setup.wizard.info');
         Artisan::call('migrate:refresh');
         Schema::drop('users');
@@ -97,6 +95,7 @@ class SetupControllerTest extends TestCase
 
     public function testFinish()
     {
+        $this->dropAllTables();
         // Without `email` field
         $this->post('/setup/finish')
             ->assertDontSee(trans('setup.wizard.finish.title'));
@@ -210,7 +209,8 @@ class SetupControllerTest extends TestCase
 
     public function testUpdate()
     {
-        $this->get('/setup/update')
+        $this->actAs('superAdmin')
+            ->get('/setup/update')
             ->assertSee(trans('setup.locked.text'));
 
         option(['version' => '0.1.0']);
@@ -228,7 +228,7 @@ class SetupControllerTest extends TestCase
         );    // Just a fixture
 
         config(['options.new_option' => 'value']);
-        $this->get('/setup/exec-update')->assertViewHas('tips');
+        $this->actAs('superAdmin')->get('/setup/exec-update')->assertViewHas('tips');
         $this->assertEquals('value', option('new_option'));
         $this->assertEquals('100.0.0', option('version'));
         unlink(database_path("update_scripts/update-$current_version-to-100.0.0.php"));