diff --git a/authz/authz.go b/authz/authz.go
index 399e0eab..ca3991f7 100644
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -128,6 +128,12 @@ p, *, *, GET, /api/get-release, *, *
 }
 
 func IsAllowed(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
+	if conf.IsDemoMode() {
+		if !isAllowedInDemoMode(subOwner, subName, method, urlPath, objOwner, objName) {
+			return false
+		}
+	}
+
 	res, err := Enforcer.Enforce(subOwner, subName, method, urlPath, objOwner, objName)
 	if err != nil {
 		panic(err)
@@ -135,3 +141,22 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 
 	return res
 }
+
+func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
+	if method == "POST" {
+		if urlPath == "/api/login" || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/send-verification-code" {
+			return true
+		} else if urlPath == "/api/update-user" {
+			// Allow ordinary users to update their own information
+			if subOwner == objOwner && subName == objName && !(subOwner == "built-in" && subName == "admin") {
+				return true
+			}
+			return false
+		} else {
+			return false
+		}
+	}
+
+	// If method equals GET
+	return true
+}
diff --git a/conf/app.conf b/conf/app.conf
index fbeac4f8..59c0e85c 100644
--- a/conf/app.conf
+++ b/conf/app.conf
@@ -16,4 +16,5 @@ verificationCodeTimeout = 10
 initScore = 2000
 logPostOnly = true
 origin =
-staticBaseUrl = "https://cdn.casbin.org"
\ No newline at end of file
+staticBaseUrl = "https://cdn.casbin.org"
+isDemoMode = false
diff --git a/conf/conf.go b/conf/conf.go
index 13d2312e..256522ae 100644
--- a/conf/conf.go
+++ b/conf/conf.go
@@ -80,3 +80,7 @@ func GetBeegoConfDataSourceName() string {
 
 	return dataSourceName
 }
+
+func IsDemoMode() bool {
+	return strings.ToLower(GetConfigString("isDemoMode")) == "true"
+}