diff --git a/src/Application/TakeoutSaaS.Application/Identity/Handlers/BindRolePermissionsCommandHandler.cs b/src/Application/TakeoutSaaS.Application/Identity/Handlers/BindRolePermissionsCommandHandler.cs
index 295060c..83d209b 100644
--- a/src/Application/TakeoutSaaS.Application/Identity/Handlers/BindRolePermissionsCommandHandler.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Handlers/BindRolePermissionsCommandHandler.cs
@@ -19,7 +19,12 @@ public sealed class BindRolePermissionsCommandHandler(
         var tenantId = request.TenantId ?? tenantProvider.GetCurrentTenantId();
 
         // 2. 覆盖式绑定权限
-        await rolePermissionRepository.ReplaceRolePermissionsAsync(tenantId, request.RoleId, request.PermissionIds, cancellationToken);
+        var distinctPermissionIds = request.PermissionIds
+            .Where(id => id > 0)
+            .Distinct()
+            .ToArray();
+
+        await rolePermissionRepository.ReplaceRolePermissionsAsync(tenantId, request.RoleId, distinctPermissionIds, cancellationToken);
         await rolePermissionRepository.SaveChangesAsync(cancellationToken);
 
         // 3. 返回执行结果
diff --git a/src/Infrastructure/TakeoutSaaS.Infrastructure/Identity/Persistence/EfRolePermissionRepository.cs b/src/Infrastructure/TakeoutSaaS.Infrastructure/Identity/Persistence/EfRolePermissionRepository.cs
index c1f0d4b..83c5101 100644
--- a/src/Infrastructure/TakeoutSaaS.Infrastructure/Identity/Persistence/EfRolePermissionRepository.cs
+++ b/src/Infrastructure/TakeoutSaaS.Infrastructure/Identity/Persistence/EfRolePermissionRepository.cs
@@ -33,22 +33,20 @@ public sealed class EfRolePermissionRepository(IdentityDbContext dbContext) : IR
         {
             await using var trx = await dbContext.Database.BeginTransactionAsync(cancellationToken);
 
-            var existing = await dbContext.RolePermissions
-                .Where(x => x.TenantId == tenantId && x.RoleId == roleId)
-                .ToListAsync(cancellationToken);
+            // 1. 删除旧记录（原生 SQL，避免跟踪干扰）
+            await dbContext.Database.ExecuteSqlRawAsync(
+                "DELETE FROM \"role_permissions\" WHERE \"TenantId\" = {0} AND \"RoleId\" = {1};",
+                parameters: new object[] { tenantId, roleId },
+                cancellationToken: cancellationToken);
 
-            dbContext.RolePermissions.RemoveRange(existing);
-            await dbContext.SaveChangesAsync(cancellationToken);
-
-            var toAdd = permissionIds.Distinct().Select(permissionId => new RolePermission
+            // 2. 插入新记录（防重复）
+            foreach (var permissionId in permissionIds.Distinct())
             {
-                TenantId = tenantId,
-                RoleId = roleId,
-                PermissionId = permissionId
-            });
-
-            await dbContext.RolePermissions.AddRangeAsync(toAdd, cancellationToken);
-            await dbContext.SaveChangesAsync(cancellationToken);
+                await dbContext.Database.ExecuteSqlRawAsync(
+                    "INSERT INTO \"role_permissions\" (\"TenantId\",\"RoleId\",\"PermissionId\",\"CreatedAt\",\"CreatedBy\",\"UpdatedAt\",\"UpdatedBy\",\"DeletedAt\",\"DeletedBy\") VALUES ({0},{1},{2},NOW(),NULL,NULL,NULL,NULL,NULL) ON CONFLICT DO NOTHING;",
+                    parameters: new object[] { tenantId, roleId, permissionId },
+                    cancellationToken: cancellationToken);
+            }
 
             await trx.CommitAsync(cancellationToken);
         });