yxy

public/assets/js/account.js

@@ -2,6 +2,8 @@ import { apiAction } from './api.js';
 import { initUserPanel, initAccountPage } from './ui-user.js';
 import { mountLogoutButton, ensureFloatingLogout } from './ui-auth.js';
 
+const pageType = document.body?.dataset?.page || 'account';
+
 async function ensureAuthenticated() {
   try {
     const me = await apiAction('auth.me', { method: 'GET' });
@@ -17,9 +19,19 @@ async function ensureAuthenticated() {
   }
 }
 
+function ensureAccess() {
+  const role = (window.__currentUser?.role || '').toLowerCase();
+  if (pageType === 'admin' && role !== 'owner' && role !== 'admin') {
+    window.location.href = '/account.php';
+    return false;
+  }
+  return true;
+}
+
 document.addEventListener('DOMContentLoaded', async () => {
   const ok = await ensureAuthenticated();
   if (!ok) return;
+  if (!ensureAccess()) return;
   initUserPanel();
   initAccountPage();
   mountLogoutButton('#btn-logout', { redirect: '/login.php' });