feat: 配置功能仅admin可用，operator隐藏配置按钮+后端403拦截

- devices.html: 注入 USER_ROLE 全局变量
- devices.js: 配置按钮仅 USER_ROLE===admin 时渲染
- fixture.py: 页面/指令/保存三个路由均校验 admin 角色

edc-web/app/routes/fixture.py

@@ -114,6 +114,8 @@ def build_4b_packet(addr: int, dev_type: int, test_mode: int,
 @login_required
 def fixture_page(dnt_id):
     """工装配置页面"""
+    if current_user.role != "admin":
+        return "无权限：仅管理员可访问工装配置", 403
     device = get_device_by_id(dnt_id)
     if not device:
         return "设备不存在", 404
@@ -133,6 +135,8 @@ def vehicle_base_test_page():
 @login_required
 def api_fixture_command():
     """发送工装配置指令 (0x4A/0x4B/0x4C/0x4D/0x4E)"""
+    if current_user.role != "admin":
+        return jsonify({"ok": False, "error": "无权限：仅管理员可执行工装指令"}), 403
     data = request.get_json()
     dnt_id = data.get("dnt_id")
     cmd = data.get("cmd", "").upper()
@@ -220,6 +224,8 @@ def api_get_fixture_param(dnt_id):
 @login_required
 def api_save_fixture_param(dnt_id):
     """保存工装测试参数（仅数据库，不下发设备）"""
+    if current_user.role != "admin":
+        return jsonify({"ok": False, "error": "无权限：仅管理员可修改工装参数"}), 403
     data = request.get_json()
     if not data:
         return jsonify({"ok": False, "error": "数据为空"}), 400

edc-web/app/static/js/devices.js

@@ -22,7 +22,7 @@ function renderTable(devices) {
             <td>${d.last_login || '-'}</td>
             <td>
                 <button class="btn-test" onclick="location.href='/test/${d.id}'">测试</button>
-                <button class="btn-config" onclick="location.href='/fixture/${d.id}'">配置</button>
+                ${USER_ROLE === 'admin' ? `<button class="btn-config" onclick="location.href='/fixture/${d.id}'">配置</button>` : ''}
             </td>
         </tr>
     `).join("");

edc-web/app/templates/devices.html

@@ -20,5 +20,8 @@
 {% endblock %}
 
 {% block scripts %}
+<script>
+    const USER_ROLE = "{{ current_user.role }}";
+</script>
 <script src="{{ url_for('static', filename='js/devices.js') }}"></script>
 {% endblock %}