diff --git a/internal/fs/list.go b/internal/fs/list.go
index a0aa2b88..38a8b0cb 100644
--- a/internal/fs/list.go
+++ b/internal/fs/list.go
@@ -7,6 +7,8 @@ import (
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
+	"regexp"
+	"strings"
 )
 
 // List files
@@ -35,7 +37,7 @@ func list(ctx context.Context, path string) ([]model.Obj, error) {
 		}
 	}
 	if whetherHide(user, meta, path) {
-		hide(objs, meta)
+		objs = hide(objs, meta)
 	}
 	// sort objs
 	if account.Config().LocalSort {
@@ -47,7 +49,7 @@ func list(ctx context.Context, path string) ([]model.Obj, error) {
 
 func whetherHide(user *model.User, meta *model.Meta, path string) bool {
 	// if is admin, don't hide
-	if user.IsAdmin() {
+	if user.CanSeeHides() {
 		return false
 	}
 	// if meta is nil, don't hide
@@ -63,12 +65,28 @@ func whetherHide(user *model.User, meta *model.Meta, path string) bool {
 		return false
 	}
 	// if is guest, hide
-	if user.IsGuest() {
-		return true
-	}
-	return !user.CanSeeHides()
+	return true
 }
 
-func hide(objs []model.Obj, meta *model.Meta) {
-	// TODO: hide
+func hide(objs []model.Obj, meta *model.Meta) []model.Obj {
+	var res []model.Obj
+	deleted := make([]bool, len(objs))
+	rs := strings.Split(meta.Hide, "\n")
+	for _, r := range rs {
+		re, _ := regexp.Compile(r)
+		for i, obj := range objs {
+			if deleted[i] {
+				continue
+			}
+			if re.MatchString(obj.GetName()) {
+				deleted[i] = true
+			}
+		}
+	}
+	for i, obj := range objs {
+		if !deleted[i] {
+			res = append(res, obj)
+		}
+	}
+	return res
 }
diff --git a/server/controllers/meta.go b/server/controllers/meta.go
index 1192284a..9f646a0a 100644
--- a/server/controllers/meta.go
+++ b/server/controllers/meta.go
@@ -1,7 +1,10 @@
 package controllers
 
 import (
+	"fmt"
+	"regexp"
 	"strconv"
+	"strings"
 
 	"github.com/alist-org/alist/v3/internal/db"
 	"github.com/alist-org/alist/v3/internal/model"
@@ -35,6 +38,11 @@ func CreateMeta(c *gin.Context) {
 		common.ErrorResp(c, err, 400)
 		return
 	}
+	r, err := validHide(req.Hide)
+	if err != nil {
+		common.ErrorStrResp(c, fmt.Sprintf("%s is illegal: %s", r, err.Error()), 400)
+		return
+	}
 	req.Path = utils.StandardizePath(req.Path)
 	if err := db.CreateMeta(&req); err != nil {
 		common.ErrorResp(c, err, 500, true)
@@ -49,6 +57,11 @@ func UpdateMeta(c *gin.Context) {
 		common.ErrorResp(c, err, 400)
 		return
 	}
+	r, err := validHide(req.Hide)
+	if err != nil {
+		common.ErrorStrResp(c, fmt.Sprintf("%s is illegal: %s", r, err.Error()), 400)
+		return
+	}
 	req.Path = utils.StandardizePath(req.Path)
 	if err := db.UpdateMeta(&req); err != nil {
 		common.ErrorResp(c, err, 500, true)
@@ -57,6 +70,17 @@ func UpdateMeta(c *gin.Context) {
 	}
 }
 
+func validHide(hide string) (string, error) {
+	rs := strings.Split(hide, "\n")
+	for _, r := range rs {
+		_, err := regexp.Compile(r)
+		if err != nil {
+			return r, err
+		}
+	}
+	return "", nil
+}
+
 func DeleteMeta(c *gin.Context) {
 	idStr := c.Query("id")
 	id, err := strconv.Atoi(idStr)