diff --git a/src/main/java/com/example/building/controller/ProductController.java b/src/main/java/com/example/building/controller/ProductController.java
index 7ce163b..b6e443d 100644
--- a/src/main/java/com/example/building/controller/ProductController.java
+++ b/src/main/java/com/example/building/controller/ProductController.java
@@ -31,26 +31,38 @@ public class ProductController {
     }
 
     /**
-     * 新增分类
+     * 新增分类（仅管理员）
      */
     @PostMapping("/categories")
-    public Result<Category> createCategory(@RequestBody Category category) {
+    public Result<Category> createCategory(@RequestBody Category category,
+                                          @RequestHeader(value = "X-User-Role", required = false) String role) {
+        if (!"admin".equals(role)) {
+            return Result.error("只有管理员可以操作");
+        }
         return Result.success(productService.createCategory(category));
     }
 
     /**
-     * 修改分类
+     * 修改分类（仅管理员）
      */
     @PutMapping("/categories/{id}")
-    public Result<Category> updateCategory(@PathVariable String id, @RequestBody Category category) {
+    public Result<Category> updateCategory(@PathVariable String id, @RequestBody Category category,
+                                          @RequestHeader(value = "X-User-Role", required = false) String role) {
+        if (!"admin".equals(role)) {
+            return Result.error("只有管理员可以操作");
+        }
         return Result.success(productService.updateCategory(id, category));
     }
 
     /**
-     * 删除分类
+     * 删除分类（仅管理员）
      */
     @DeleteMapping("/categories/{id}")
-    public Result<Void> deleteCategory(@PathVariable String id) {
+    public Result<Void> deleteCategory(@PathVariable String id,
+                                       @RequestHeader(value = "X-User-Role", required = false) String role) {
+        if (!"admin".equals(role)) {
+            return Result.error("只有管理员可以操作");
+        }
         productService.deleteCategory(id);
         return Result.success();
     }
@@ -76,26 +88,38 @@ public class ProductController {
     }
 
     /**
-     * 新增商品
+     * 新增商品（仅管理员）
      */
     @PostMapping
-    public Result<Product> createProduct(@RequestBody Product product) {
+    public Result<Product> createProduct(@RequestBody Product product,
+                                         @RequestHeader(value = "X-User-Role", required = false) String role) {
+        if (!"admin".equals(role)) {
+            return Result.error("只有管理员可以操作");
+        }
         return Result.success(productService.createProduct(product));
     }
 
     /**
-     * 修改商品
+     * 修改商品（仅管理员）
      */
     @PutMapping("/{id}")
-    public Result<Product> updateProduct(@PathVariable String id, @RequestBody Product product) {
+    public Result<Product> updateProduct(@PathVariable String id, @RequestBody Product product,
+                                         @RequestHeader(value = "X-User-Role", required = false) String role) {
+        if (!"admin".equals(role)) {
+            return Result.error("只有管理员可以操作");
+        }
         return Result.success(productService.updateProduct(id, product));
     }
 
     /**
-     * 删除商品
+     * 删除商品（仅管理员）
      */
     @DeleteMapping("/{id}")
-    public Result<Void> deleteProduct(@PathVariable String id) {
+    public Result<Void> deleteProduct(@PathVariable String id,
+                                      @RequestHeader(value = "X-User-Role", required = false) String role) {
+        if (!"admin".equals(role)) {
+            return Result.error("只有管理员可以操作");
+        }
         productService.deleteProduct(id);
         return Result.success();
     }