|
|
@@ -2,6 +2,12 @@
|
|
|
require_once 'conn.php';
|
|
|
checkLogin();
|
|
|
|
|
|
+// 检查是否为管理员,非管理员无权删除
|
|
|
+if (!checkIfAdmin()) {
|
|
|
+ echo "<script>alert('您没有权限删除订单,只有管理员才能执行此操作'); window.location.href='order.php';</script>";
|
|
|
+ exit;
|
|
|
+}
|
|
|
+
|
|
|
// 获取订单ID
|
|
|
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
|
|
|
$keys = urlencode($_GET['keys'] ?? '');
|
|
|
@@ -13,19 +19,12 @@ if ($id <= 0) {
|
|
|
exit;
|
|
|
}
|
|
|
|
|
|
-// 验证订单所有权(只能删除自己的订单)
|
|
|
-$employee_id = $_SESSION['employee_id'];
|
|
|
-$isAdmin = checkIfAdmin();
|
|
|
-
|
|
|
+// 验证订单存在
|
|
|
$checkSql = "SELECT id FROM orders WHERE id = $id";
|
|
|
-if (!$isAdmin) {
|
|
|
- $checkSql .= " AND employee_id = $employee_id";
|
|
|
-}
|
|
|
-
|
|
|
$checkResult = mysqli_query($conn, $checkSql);
|
|
|
|
|
|
if (mysqli_num_rows($checkResult) === 0) {
|
|
|
- echo "<script>alert('订单不存在或您没有权限删除该订单');location.href='order.php?keys=$keys&Page=$page';</script>";
|
|
|
+ echo "<script>alert('订单不存在');location.href='order.php?keys=$keys&Page=$page';</script>";
|
|
|
exit;
|
|
|
}
|
|
|
|
|
|
@@ -42,9 +41,6 @@ try {
|
|
|
|
|
|
// 删除订单主表
|
|
|
$deleteOrderSql = "DELETE FROM orders WHERE id = $id";
|
|
|
- if (!$isAdmin) {
|
|
|
- $deleteOrderSql .= " AND employee_id = $employee_id";
|
|
|
- }
|
|
|
|
|
|
if (!mysqli_query($conn, $deleteOrderSql)) {
|
|
|
throw new Exception("删除订单失败: " . mysqli_error($conn));
|
igb