Expand admin access; enforce workshop-scoped warehouse staff; add billing rules and payroll recalculation

[Kettailor]

Motivation

• Allow system administrators full access across operational modules while keeping normal admin/main flows restricted, and limit temporarily-suspended employees to personal features only.
• Restrict warehouse and warehouse-sheet access so warehouse staff see only warehouses for their workshop(s), and allow multiple warehouse managers per warehouse instead of free deletes.
• Ensure billing is created only for orders whose production plans are completed and support canceling invoices rather than hard deletes.
• Improve payroll: derive base salary from role, use a default daily rate, change insurance calculation to 10.5%, and modernize payroll UI and flows.

Description

• Access and account rules: updated core/Controller::authorize to broaden admin/test flows and to restrict accounts in TrangThai (e.g. Tạm nghỉ) to personal controllers, and added VT_ADMIN where appropriate in multiple controllers (QualityController, SuddenlyController, Factory_planController, BillController, Warehouse_sheetController, etc.).
• Warehouse / staff scoping: introduced role-aware helper methods in models/Employee (getActiveWarehouseEmployeesByWorkshop*), added per-workshop assignment filtering in models/WorkshopAssignment and controllers/WorkshopController, and replaced single-manager fields with multi-manager support in models/Warehouse (syncWarehouseManagers, getWarehouseManagerIds) plus UI (views/warehouse/*).
• No-delete / cancel flows: removed or disabled direct delete behavior across modules and replaced with cancel/suspend semantics (examples: controllers/PlanController plan cancel updates workshop plans and order status; controllers/Factory_planController and controllers/WorkshopController now present cancel/tam ngung flows and disable delete buttons in views; controllers/WarehouseController / Warehouse_sheetController / Human_resourcesController / SuddenlyController / QualityController delete actions replaced with warnings).
• Billing: models/Order gains getOrdersEligibleForBilling; controllers/BillController and views/bill/* enforce invoice creation only for orders with all related workshop plans completed, capture Thue, MaBuuDien, GhiChu, and convert deletes into invoice-status Hủy.
• Payroll: added base-salary derivation by role/position and default daily rate (300000) in controllers/SalaryController, changed insurance computation to 10.5% and applied to KhauTru/TongBaoHiem and bulk recalculation in models/Salary::recalculateAll, updated payroll wizard UI and views, added Self_salaryController + views/self_salary/index.php for personal payroll view.
• Workshop plan improvements: controllers/Workshop_planController now syncs parent production plan status when all workshop plans complete and notifies inspection-type workshops after end-of-shift lot creation.
• Misc: added schema-tolerant column handling for hoa_don in models/Bill, small UI and navbar updates to surface new personal salary link and remove delete actions from lists.

Testing

• No automated tests were executed on this change set in the environment provided.
• Changes were limited to PHP controllers, models and views; please run the project test suite or CI checks and perform a local smoke test (login, create/edit warehouse, create invoice, payroll wizard, plan cancel/progress) before deploying.

---

Codex Task