From 650c04a97200100d741de879629d657f4e0451c6 Mon Sep 17 00:00:00 2001
From: Hera Zhao <hera@euphon.net>
Date: Fri, 10 Apr 2026 19:55:21 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20=E9=AB=98=E7=BA=A7=E7=BC=96=E8=BE=91?=
 =?UTF-8?q?=E7=9B=B4=E6=8E=A5=E6=B7=BB=E5=8A=A0=E5=85=AC=E5=85=B1=E5=BA=93?=
 =?UTF-8?q?+=E7=BC=96=E8=BE=91=E8=80=85=E6=9D=83=E9=99=90=E7=B2=BE?=
 =?UTF-8?q?=E7=A1=AE=E6=8E=A7=E5=88=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

公共库添加:
- 高级编辑直接添加到公共库时owner_id设为admin，所有人可见
- 高级编辑添加不触发审核通知

精油价目权限:
- 编辑精油改为canManage（senior_editor+admin）
- editor只能编辑配方，不能编辑精油价目

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 backend/main.py                     | 12 +++++++++---
 frontend/src/views/OilReference.vue |  8 ++++----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/backend/main.py b/backend/main.py
index 1b50276..05fa945 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -781,8 +781,14 @@ def create_recipe(recipe: RecipeIn, user=Depends(get_current_user)):
         raise HTTPException(401, "请先登录")
     conn = get_db()
     c = conn.cursor()
+    # Senior editors adding directly to public library: set owner to admin so everyone can see
+    owner_id = user["id"]
+    if user["role"] in ("senior_editor",):
+        admin = c.execute("SELECT id FROM users WHERE role = 'admin' LIMIT 1").fetchone()
+        if admin:
+            owner_id = admin["id"]
     c.execute("INSERT INTO recipes (name, note, owner_id) VALUES (?, ?, ?)",
-              (recipe.name, recipe.note, user["id"]))
+              (recipe.name, recipe.note, owner_id))
     rid = c.lastrowid
     for ing in recipe.ingredients:
         c.execute(
@@ -793,8 +799,8 @@ def create_recipe(recipe: RecipeIn, user=Depends(get_current_user)):
         c.execute("INSERT OR IGNORE INTO tags (name) VALUES (?)", (tag,))
         c.execute("INSERT OR IGNORE INTO recipe_tags (recipe_id, tag_name) VALUES (?, ?)", (rid, tag))
     log_audit(conn, user["id"], "create_recipe", "recipe", rid, recipe.name)
-    # Notify admin only when non-admin creates a recipe
-    if user["role"] != "admin":
+    # Notify admin when non-admin/non-senior_editor creates a recipe (needs review)
+    if user["role"] not in ("admin", "senior_editor"):
         who = user.get("display_name") or user["username"]
         conn.execute(
             "INSERT INTO notifications (target_role, title, body) VALUES (?, ?, ?)",
diff --git a/frontend/src/views/OilReference.vue b/frontend/src/views/OilReference.vue
index e58b170..db84abb 100644
--- a/frontend/src/views/OilReference.vue
+++ b/frontend/src/views/OilReference.vue
@@ -98,15 +98,15 @@
         <button @click="viewMode = 'drop'" :style="viewMode === 'drop' ? 'background:var(--sage);color:white' : 'background:white;color:var(--text-mid)'" style="border:none;border-radius:0;font-size:12px;padding:6px 12px;cursor:pointer">每滴价</button>
       </div>
       <!-- Desktop: text buttons -->
-      <button v-if="auth.canEdit" class="toolbar-btn-text" @click="showAddForm = !showAddForm">{{ showAddForm ? '收起' : '＋ 新增' }}</button>
+      <button v-if="auth.canManage" class="toolbar-btn-text" @click="showAddForm = !showAddForm">{{ showAddForm ? '收起' : '＋ 新增' }}</button>
       <button v-if="auth.isAdmin" class="toolbar-btn-text" @click="exportPDF">📥 导出PDF</button>
       <!-- Mobile: emoji-only buttons -->
-      <button v-if="auth.canEdit" class="toolbar-btn-icon" @click="showAddForm = !showAddForm" title="新增精油">➕</button>
+      <button v-if="auth.canManage" class="toolbar-btn-icon" @click="showAddForm = !showAddForm" title="新增精油">➕</button>
       <button v-if="auth.isAdmin" class="toolbar-btn-icon" @click="exportPDF" title="导出PDF">📄</button>
     </div>
 
     <!-- Add Oil Form (toggleable) -->
-    <div v-if="showAddForm && auth.canEdit" class="add-oil-form">
+    <div v-if="showAddForm && auth.canManage" class="add-oil-form">
       <div class="form-row">
         <input v-model="newOilName" style="flex:1;min-width:120px" placeholder="精油名称" class="form-input-sm" />
         <input v-model="newOilEnName" style="flex:1;min-width:100px" placeholder="英文名" class="form-input-sm" />
@@ -152,7 +152,7 @@
             </div>
           </template>
         </div>
-        <div v-if="auth.canEdit" class="oil-chip-actions" @click.stop>
+        <div v-if="auth.canManage" class="oil-chip-actions" @click.stop>
           <button @click="editOil(name)" title="编辑">✏️</button>
           <button @click="removeOil(name)" title="删除">🗑</button>
         </div>