fleat: update permission

conn.php

@@ -77,8 +77,17 @@ function checkAdminOrEmployee () {
     }
 }
 
+// 检查是否管理员
+function checkIfAdmin() {
 
-
+    if ((empty($_SESSION['em_permission_role_id'])||($_SESSION['em_permission_role_id']!=1))) {
+      return false;
+    }
+    else
+    {
+        return true;
+    }
+}
 
 
 // 获取IP

order.php

@@ -37,10 +37,16 @@ $ordStr = !empty($ord) ? "$ord," : "";
 
 // 构建查询SQL
 $employee_id = $_SESSION['employee_id'];
+$isAdmin = checkIfAdmin();
 $sqlStr = "SELECT o.*, c.cs_company, c.cs_code
            FROM orders o
            LEFT JOIN customer c ON o.customer_id = c.id
-           WHERE o.employee_id = $employee_id";
+           WHERE 1=1";
+
+// 非管理员只能查看自己的订单
+if (!$isAdmin) {
+    $sqlStr .= " AND o.employee_id = $employee_id";
+}
 
 if (!empty($keyscode)) {
     $sqlStr .= " AND (o.order_code LIKE '%$keyscode%'
@@ -231,12 +237,19 @@ $sqlStr .= " $fliterStr ORDER BY {$ordStr}o.created_at DESC";
         $employee_id = $_SESSION['employee_id'];
         $countSql = "SELECT COUNT(*) AS total FROM orders o
                      LEFT JOIN customer c ON o.customer_id = c.id
-                     WHERE o.employee_id = $employee_id";
+                     WHERE 1=1";
+
+        // 非管理员只能查看自己的订单
+        if (!$isAdmin) {
+            $countSql .= " AND o.employee_id = $employee_id";
+        }
+
         if (!empty($keyscode)) {
             $countSql .= " AND (o.order_code LIKE '%$keyscode%'
                          OR c.cs_company LIKE '%$keyscode%'
                          OR c.cs_code LIKE '%$keyscode%')";
         }
+
         $countSql .= $fliterStr;
 
         $countResult = mysqli_query($conn, $countSql);

order_delete.php

@@ -15,7 +15,13 @@ if ($id <= 0) {
 
 // 验证订单所有权（只能删除自己的订单）
 $employee_id = $_SESSION['employee_id'];
-$checkSql = "SELECT id FROM orders WHERE id = $id AND employee_id = $employee_id";
+$isAdmin = checkIfAdmin();
+
+$checkSql = "SELECT id FROM orders WHERE id = $id";
+if (!$isAdmin) {
+    $checkSql .= " AND employee_id = $employee_id";
+}
+
 $checkResult = mysqli_query($conn, $checkSql);
 
 if (mysqli_num_rows($checkResult) === 0) {
@@ -35,7 +41,11 @@ try {
     }
     
     // 删除订单主表
-    $deleteOrderSql = "DELETE FROM orders WHERE id = $id AND employee_id = $employee_id";
+    $deleteOrderSql = "DELETE FROM orders WHERE id = $id";
+    if (!$isAdmin) {
+        $deleteOrderSql .= " AND employee_id = $employee_id";
+    }
+
     if (!mysqli_query($conn, $deleteOrderSql)) {
         throw new Exception("删除订单失败: " . mysqli_error($conn));
     }

order_details.php

@@ -8,12 +8,19 @@ $id = $_GET['id'] ?? '';
 if (!empty($id) && is_numeric($id)) {
     // 获取订单基本信息
     $employee_id = $_SESSION['employee_id'];
+    $isAdmin = checkIfAdmin();
+    
     $sql = "SELECT o.*, c.cs_company, c.cs_code, cc.contact_name, e.em_user as employee_name 
             FROM orders o 
             LEFT JOIN customer c ON o.customer_id = c.id 
             LEFT JOIN customer_contact cc ON o.contact_id = cc.id 
             LEFT JOIN employee e ON o.employee_id = e.id
-            WHERE o.id = $id AND o.employee_id = $employee_id";
+            WHERE o.id = $id";
+    
+    // 非管理员只能查看自己的订单
+    if (!$isAdmin) {
+        $sql .= " AND o.employee_id = $employee_id";
+    }
 
     $result = mysqli_query($conn, $sql);
 

order_save.php

@@ -6,6 +6,19 @@ $isedit = false;
 $id = $_POST['id'] ?? '';
 if (!empty($id) && is_numeric($id)) {
     $isedit = true;
+    
+    // 检查是否为管理员，非管理员只能编辑自己的订单
+    $isAdmin = checkIfAdmin();
+    if (!$isAdmin) {
+        // 验证订单所有权
+        $checkOwnershipQuery = "SELECT id FROM orders WHERE id = $id AND employee_id = " . $_SESSION['employee_id'];
+        $ownershipResult = mysqli_query($conn, $checkOwnershipQuery);
+        
+        if (mysqli_num_rows($ownershipResult) === 0) {
+            echo "<script>alert('您没有权限编辑此订单！');history.back();</script>";
+            exit;
+        }
+    }
 }
 
 // 获取表单数据 - 订单基本信息

relationshipAdd.php

@@ -17,6 +17,13 @@ if (isset($_GET['id']) && is_numeric($_GET['id'])) {
     if ($result->num_rows > 0) {
         $relationshipData = $result->fetch_assoc();
         $isEdit = true;
+        
+        // 检查权限：如果不是管理员，只能编辑自己创建的关系
+        $isAdmin = checkIfAdmin();
+        if (!$isAdmin && $relationshipData['employee_id'] != $_SESSION['employee_id']) {
+            echo "<script>alert('您没有权限编辑此客户关系记录！'); window.location.href='relationships.php';</script>";
+            exit;
+        }
     } else {
         echo "<script>alert('未找到指定的客户关系记录！'); window.location.href='relationships.php';</script>";
         exit;
@@ -306,7 +313,7 @@ if (isset($_GET['id']) && is_numeric($_GET['id'])) {
                     <th width="15%">源客户</th>
                     <td>
                         <div class="customer-search-container">
-                            <input type="text" id="source_customer_search" class="customer-search txt1" data-type="source" placeholder="输入客户名称搜索..." value="" />
+                            <input type="text" id="source_customer_search" class="customer-search txt1" data-type="source" placeholder="输入客户编码或名称搜索..." value="" />
                             <div id="source_customer_selected" class="selected-customer-info" title="<?php 
                             if ($isEdit) {
                                 $sourceCustQuery = "SELECT cs_company, cs_code FROM customer WHERE id = ?";
@@ -348,7 +355,7 @@ if (isset($_GET['id']) && is_numeric($_GET['id'])) {
                     <th>目标客户</th>
                     <td>
                         <div class="customer-search-container">
-                            <input type="text" id="target_customer_search" class="customer-search txt1" data-type="target" placeholder="输入客户名称搜索..." value="" />
+                            <input type="text" id="target_customer_search" class="customer-search txt1" data-type="target" placeholder="输入客户编码或名称搜索..." value="" />
                             <div id="target_customer_selected" class="selected-customer-info" title="<?php 
                             if ($isEdit) {
                                 $targetCustQuery = "SELECT cs_company, cs_code FROM customer WHERE id = ?";

relationshipSave.php

@@ -15,6 +15,7 @@ $description = isset($_POST['description']) ? textEncode($_POST['description'])
 
 // 当前员工ID
 $employee_id = $_SESSION['employee_id'];
+$isAdmin = checkIfAdmin();
 
 // 删除操作
 if ($act == 'delete' && $id > 0) {
@@ -27,8 +28,14 @@ if ($act == 'delete' && $id > 0) {
         exit;
     }
     
-    // 记录删除操作到日志
+    // 检查权限：如果不是管理员，只能删除自己创建的关系
     $row = $result->fetch_assoc();
+    if (!$isAdmin && $row['employee_id'] != $_SESSION['employee_id']) {
+        echo "<script>alert('您没有权限删除此客户关系记录！'); window.location.href='relationships.php';</script>";
+        exit;
+    }
+    
+    // 记录删除操作到日志
     $source_company_query = "SELECT cs_company FROM customer WHERE id = ".$row['source_customer_id'];
     $target_company_query = "SELECT cs_company FROM customer WHERE id = ".$row['target_customer_id'];
     
@@ -93,6 +100,20 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
         exit;
     }
     
+    // 如果是编辑操作，检查权限
+    if ($id > 0) {
+        $checkPermissionQuery = "SELECT * FROM customer_relationship WHERE id = $id";
+        $permResult = $conn->query($checkPermissionQuery);
+        
+        if ($permResult->num_rows > 0) {
+            $permRow = $permResult->fetch_assoc();
+            if (!$isAdmin && $permRow['employee_id'] != $_SESSION['employee_id']) {
+                echo "<script>alert('您没有权限编辑此客户关系记录！'); window.location.href='relationships.php';</script>";
+                exit;
+            }
+        }
+    }
+    
     // 根据是否有ID决定是更新还是新增
     if ($id > 0) {
         // 更新操作

relationships.php

@@ -272,6 +272,12 @@ if (isset($fliterStatus) && $fliterStatus !== '') {
         $whereClause = "WHERE 1=1";
         $params = [];
         
+        // 检查是否为管理员，非管理员只能查看自己创建的关系
+        $isAdmin = checkIfAdmin();
+        if (!$isAdmin) {
+            $whereClause .= " AND cr.employee_id = " . $_SESSION['employee_id'];
+        }
+        
         if (!empty($keys)) {
             $searchKeys = '%' . $conn->real_escape_string($keys) . '%';
             $whereClause .= " AND (c1.cs_code LIKE '$searchKeys' OR c1.cs_company LIKE '$searchKeys' OR c2.cs_code LIKE '$searchKeys' OR c2.cs_company LIKE '$searchKeys' OR cr.description LIKE '$searchKeys')";