From ba584a57e00bd5de217db49763489373b4af5212 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Wed, 22 Dec 2021 13:08:24 -0500
Subject: [PATCH] BREAKING CHANGES - Many DB Updates - NOT POSSIBLE TO EASILY
 UPGRADE TO THIS - Completely reworked User Company Access Permssions, started
 working on Client Role so Clients can access their data and a  bunch of other
 small fixes

---
 add_user_modal.php       | 17 +++----
 admin_side_nav.php       |  2 +-
 check_login.php          | 57 +++++++++++++++--------
 client.php               |  2 +-
 clients.php              |  6 +--
 db.sql                   | 99 ++++++++++++++++++++++++++++++++--------
 edit_user_modal.php      | 21 +++++----
 header.php               |  4 +-
 invoice.php              |  2 +-
 login.php                | 11 ++---
 post.php                 | 55 +++++++++++++---------
 setup.php                |  3 ++
 side_nav.php             |  8 ++--
 ticket.php               |  2 +-
 top_nav.php              |  2 +-
 user_clients_modal.php   |  4 +-
 user_companies_modal.php |  6 +--
 users.php                | 49 ++++++++++++--------
 18 files changed, 227 insertions(+), 123 deletions(-)

diff --git a/add_user_modal.php b/add_user_modal.php
index d5844277..d6bcaf8c 100644
--- a/add_user_modal.php
+++ b/add_user_modal.php
@@ -49,7 +49,7 @@
               <div class="input-group-prepend">
                 <span class="input-group-text"><i class="fa fa-fw fa-building"></i></span>
               </div>
-              <select class="form-control select2" name="company" required>
+              <select class="form-control select2" name="default_company" required>
                 <option value="">- Company -</option>
                 <?php 
                 
@@ -68,18 +68,19 @@
           </div>
 
           <div class="form-group">
-            <label>Permission <strong class="text-danger">*</strong></label>
+            <label>Role <strong class="text-danger">*</strong></label>
             <div class="input-group">
               <div class="input-group-prepend">
                 <span class="input-group-text"><i class="fa fa-fw fa-user-shield"></i></span>
               </div>
               <select class="form-control select2" name="level" required>
-                <option value="">- Permission -</option>
-                <option value="5">Global Administrator</option>
-                <option value="4">Administrator</option>
-                <option value="3">Technician</option>
-                <option value="2">IT Contractor</option>
-                <option value="1">Accounting</option>
+                <option value="">- Role -</option>
+                <option value="6">Global Administrator</option>
+                <option value="5">Administrator</option>
+                <option value="4">Technician</option>
+                <option value="3">IT Contractor</option>
+                <option value="2">Client</option>
+                <option value="1">Accountant</option>
               </select>
             </div>
           </div>
diff --git a/admin_side_nav.php b/admin_side_nav.php
index 7766be7d..549e8ae4 100644
--- a/admin_side_nav.php
+++ b/admin_side_nav.php
@@ -16,7 +16,7 @@
           
           <?php
           
-          $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id IN ($session_permission_companies)");
+          $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id IN ($session_user_company_access)");
           while($row = mysqli_fetch_array($sql)){
 
             $company_id = $row['company_id'];
diff --git a/check_login.php b/check_login.php
index 78718ab0..e908aaf4 100644
--- a/check_login.php
+++ b/check_login.php
@@ -15,31 +15,50 @@
 
 	$session_user_id = $_SESSION['user_id'];
 
-	$sql = mysqli_query($mysqli,"SELECT * FROM users, permissions  WHERE users.user_id = permissions.user_id AND users.user_id = $session_user_id");
-	
+	$sql = mysqli_query($mysqli,"SELECT * FROM users, user_settings WHERE users.user_id = user_settings.user_id AND users.user_id = $session_user_id");
 	$row = mysqli_fetch_array($sql);
 	$session_name = $row['user_name'];
 	$session_email = $row['user_email'];
 	$session_avatar = $row['user_avatar'];
-	$session_company_id = $row['permission_default_company'];
 	$session_token = $row['user_token'];
-
-	$session_permission_level = $row['permission_level'];
-  if($session_permission_level == 5){
-    $session_permission_level_display = "Global Administrator";
-  }elseif($session_permission_level == 4){
-    $session_permission_level_display = "Administrator";
-  }elseif($session_permission_level == 3){
-    $session_permission_level_display = "Technician";
-  }elseif($session_permission_level == 2){
-    $session_permission_level_display = "IT Contractor";
+	$session_company_id = $row['user_default_company'];
+	$session_user_role = $row['user_role'];
+  if($session_user_role == 6){
+    $session_user_role_display = "Global Administrator";
+  }elseif($session_user_role == 5){
+    $session_user_role_display = "Administrator";
+  }elseif($session_user_role == 4){
+    $session_user_role_display = "Technician";
+  }elseif($session_user_role == 3){
+    $session_user_role_display = "IT Contractor";
+  }elseif($session_user_role == 2){
+    $session_user_role_display = "Client";
   }else{
-    $session_permission_level_display = "Accounting";  
+    $session_user_role_display = "Accountant";
   }
-	$session_permission_companies_array = explode(",",$row['permission_companies']);
-	$session_permission_companies = $row['permission_companies'];
-	$session_permission_clients_array = explode(",",$row['permission_clients']);
-	$session_permission_clients = $row['permission_clients'];
+	
+  //LOAD USER COMPANY ACCESS PERMISSIONS
+  $session_user_company_access_sql = mysqli_query($mysqli,"SELECT company_id FROM user_companies WHERE user_id = $session_user_id");
+  $session_user_company_access_array = array();
+  while($row = mysqli_fetch_array($session_user_company_access_sql)){
+  	$session_user_company_access_array[] = $row['company_id'];
+  }
+  $session_user_company_access = implode(',',$session_user_company_access_array);
+
+  //Check to see if user has rights to company Prevents User from access a company he is not allowed to have access to.
+  if(!in_array($session_company_id,$session_user_company_access_array)){
+  	session_start();
+    session_destroy();
+    header('Location: login.php');
+  }
+
+  //LOAD USER CLIENT ACCESS PERMISSIONS
+  $session_user_client_access_sql = mysqli_query($mysqli,"SELECT client_id FROM user_clients WHERE user_id = $session_user_id");
+  $session_user_client_access_array = array();
+  while($row = mysqli_fetch_array($session_user_client_access_sql)){
+  	$session_user_client_access_array[] = $row['client_id'];
+  }
+  $session_user_client_access = implode(',',$session_user_client_access_array);
 
 	$sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id = $session_company_id");
 	$row = mysqli_fetch_array($sql);
@@ -65,4 +84,4 @@
 	$row = mysqli_fetch_assoc(mysqli_query($mysqli,"SELECT COUNT('alert_id') AS num FROM alerts WHERE alert_ack_date IS NULL AND company_id = $session_company_id"));
   $num_alerts = $row['num'];
 
-?>
+?>
\ No newline at end of file
diff --git a/client.php b/client.php
index 938c2aa3..3415ee13 100644
--- a/client.php
+++ b/client.php
@@ -202,7 +202,7 @@ $location_phone = formatPhoneNumber($location_phone);
         } 
         ?>
       </div>
-      <?php if($session_permission_level == 1 OR $session_permission_level > 3){ ?>
+      <?php if($session_user_role == 1 OR $session_user_role > 3){ ?>
       <div class="col-md-3 border-left">
         <h4 class="text-secondary">Billing</h4>
         <h6 class="ml-1 text-secondary">Paid <div class="text-dark float-right"> <?php echo get_currency_symbol($session_company_currency); ?> <?php echo number_format($amount_paid,2); ?></div></h6>
diff --git a/clients.php b/clients.php
index e222a2f7..6ac36853 100644
--- a/clients.php
+++ b/clients.php
@@ -1,8 +1,8 @@
 <?php include("header.php");
 
-//Permission check
-if($session_permission_level == 2){
-  $permission_sql = "AND client_id IN ($session_permission_clients)";
+// Role / Client Access Permission Check
+if($session_user_role == 2){
+  $permission_sql = "AND client_id IN ($session_user_client_access)";
 }else{
   $permission_sql = "";
 }
diff --git a/db.sql b/db.sql
index 88033f8e..f898ae4f 100644
--- a/db.sql
+++ b/db.sql
@@ -54,6 +54,24 @@ CREATE TABLE `alerts` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
+--
+-- Table structure for table `api_keys`
+--
+
+DROP TABLE IF EXISTS `api_keys`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `api_keys` (
+  `api_key_id` int(11) NOT NULL AUTO_INCREMENT,
+  `api_key_secret` varchar(255) NOT NULL,
+  `api_key_description` varchar(255) DEFAULT NULL,
+  `api_key_created_at` datetime NOT NULL,
+  `api_key_expire` datetime NOT NULL,
+  `company_id` int(11) NOT NULL,
+  PRIMARY KEY (`api_key_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
 --
 -- Table structure for table `assets`
 --
@@ -582,6 +600,8 @@ CREATE TABLE `logs` (
   `log_type` varchar(200) NOT NULL,
   `log_action` varchar(255) NOT NULL,
   `log_description` varchar(255) NOT NULL,
+  `log_ip` varchar(200) DEFAULT NULL,
+  `log_user_agent` varchar(250) DEFAULT NULL,
   `log_created_at` datetime NOT NULL,
   `log_archived_at` datetime DEFAULT NULL,
   `log_client_id` int(11) DEFAULT NULL,
@@ -663,25 +683,6 @@ CREATE TABLE `payments` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
---
--- Table structure for table `permissions`
---
-
-DROP TABLE IF EXISTS `permissions`;
-/*!40101 SET @saved_cs_client     = @@character_set_client */;
-/*!40101 SET character_set_client = utf8 */;
-CREATE TABLE `permissions` (
-  `permission_id` int(11) NOT NULL AUTO_INCREMENT,
-  `permission_level` tinyint(1) NOT NULL,
-  `permission_default_company` int(11) NOT NULL,
-  `permission_companies` varchar(500) NOT NULL,
-  `permission_clients` varchar(500) DEFAULT NULL,
-  `permission_actions` tinyint(1) DEFAULT NULL,
-  `user_id` int(11) NOT NULL,
-  PRIMARY KEY (`permission_id`)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-/*!40101 SET character_set_client = @saved_cs_client */;
-
 --
 -- Table structure for table `products`
 --
@@ -810,6 +811,20 @@ CREATE TABLE `revenues` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
+--
+-- Table structure for table `roles`
+--
+
+DROP TABLE IF EXISTS `roles`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `roles` (
+  `role_id` int(11) NOT NULL AUTO_INCREMENT,
+  `role_name` varchar(200) NOT NULL,
+  PRIMARY KEY (`role_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
 --
 -- Table structure for table `settings`
 --
@@ -1019,6 +1034,34 @@ CREATE TABLE `trips` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
+--
+-- Table structure for table `user_clients`
+--
+
+DROP TABLE IF EXISTS `user_clients`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `user_clients` (
+  `user_id` int(11) NOT NULL,
+  `client_id` int(11) NOT NULL,
+  PRIMARY KEY (`user_id`,`client_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Table structure for table `user_companies`
+--
+
+DROP TABLE IF EXISTS `user_companies`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `user_companies` (
+  `user_id` int(11) NOT NULL,
+  `company_id` int(11) NOT NULL,
+  PRIMARY KEY (`user_id`,`company_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
 --
 -- Table structure for table `user_keys`
 --
@@ -1035,6 +1078,21 @@ CREATE TABLE `user_keys` (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
+--
+-- Table structure for table `user_settings`
+--
+
+DROP TABLE IF EXISTS `user_settings`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `user_settings` (
+  `user_id` int(11) NOT NULL,
+  `user_default_company` int(11) NOT NULL,
+  `user_role` int(11) NOT NULL,
+  PRIMARY KEY (`user_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
 --
 -- Table structure for table `users`
 --
@@ -1052,6 +1110,7 @@ CREATE TABLE `users` (
   `user_created_at` datetime NOT NULL,
   `user_updated_at` datetime DEFAULT NULL,
   `user_archived_at` datetime DEFAULT NULL,
+  `role_id` int(11) NOT NULL,
   PRIMARY KEY (`user_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 /*!40101 SET character_set_client = @saved_cs_client */;
@@ -1098,4 +1157,4 @@ CREATE TABLE `vendors` (
 /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
 /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
 
--- Dump completed on 2021-12-08 22:31:20
+-- Dump completed on 2021-12-22 13:04:22
diff --git a/edit_user_modal.php b/edit_user_modal.php
index 5843e1ee..35d74d31 100644
--- a/edit_user_modal.php
+++ b/edit_user_modal.php
@@ -62,7 +62,7 @@
               <div class="input-group-prepend">
                 <span class="input-group-text"><i class="fa fa-fw fa-building"></i></span>
               </div>
-              <select class="form-control select2" name="company" required>
+              <select class="form-control select2" name="default_company" required>
                 <option value="">- Company -</option>
                 <?php 
                 
@@ -71,7 +71,7 @@
                   $company_id_select = $row['company_id'];
                   $company_name_select = $row['company_name'];
                 ?>
-                  <option <?php if($company_id_select == $permission_default_company){ echo "selected"; } ?> value="<?php echo $company_id_select; ?>"><?php echo $company_name_select; ?></option>
+                  <option <?php if($company_id_select == $user_default_company){ echo "selected"; } ?> value="<?php echo $company_id_select; ?>"><?php echo $company_name_select; ?></option>
                 
                 <?php
                 }
@@ -81,18 +81,19 @@
           </div>
 
           <div class="form-group">
-            <label>Permission <strong class="text-danger">*</strong></label>
+            <label>Role <strong class="text-danger">*</strong></label>
             <div class="input-group">
               <div class="input-group-prepend">
                 <span class="input-group-text"><i class="fa fa-fw fa-user-shield"></i></span>
               </div>
-              <select class="form-control select2" name="level" required>
-                <option value="">- Permission -</option>
-                <option <?php if($permission_level == 5){ echo "selected"; } ?> value="5">Global Admininstrator</option>
-                <option <?php if($permission_level == 4){ echo "selected"; } ?> value="4">Administrator</option>
-                <option <?php if($permission_level == 3){ echo "selected"; } ?> value="3">Technician</option>
-                <option <?php if($permission_level == 2){ echo "selected"; } ?> value="2">IT Contractor</option>
-                <option <?php if($permission_level == 1){ echo "selected"; } ?> value="1">Accounting</option>
+              <select class="form-control select2" name="role" required>
+                <option value="">- Role -</option>
+                <option <?php if($user_role == 6){ echo "selected"; } ?> value="6">Global Admininstrator</option>
+                <option <?php if($user_role == 5){ echo "selected"; } ?> value="5">Administrator</option>
+                <option <?php if($user_role == 4){ echo "selected"; } ?> value="4">Technician</option>
+                <option <?php if($user_role == 3){ echo "selected"; } ?> value="3">IT Contractor</option>
+                <option <?php if($user_role == 2){ echo "selected"; } ?> value="2">Client</option>
+                <option <?php if($user_role == 1){ echo "selected"; } ?> value="1">Accountant</option>
               </select>
             </div>
           </div>
diff --git a/header.php b/header.php
index e1dddeee..379d0c8c 100644
--- a/header.php
+++ b/header.php
@@ -45,8 +45,8 @@ scratch. This page gets rid of all links and provides the needed markup only.
     
     if(basename(parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH)) == "client.php"){
       include("client_side_nav.php");
-    }elseif(basename(parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH)) == "settings-general.php"){
-      include("admin_side_nav.php");
+    //}elseif(basename(parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH)) == "settings-general.php"){
+      //include("admin_side_nav.php");
     }else{
       include("side_nav.php");
     } 
diff --git a/invoice.php b/invoice.php
index 11e06d1e..5f02e4a2 100644
--- a/invoice.php
+++ b/invoice.php
@@ -272,7 +272,7 @@ if(isset($_GET['invoice_id'])){
                   <td class="text-center"><?php echo $item_quantity; ?></td>
                   <td class="text-right"><?php echo $client_currency_symbol; ?> <?php echo number_format($item_price,2); ?></td>
                   <td class="text-right"><?php echo $client_currency_symbol; ?> <?php echo number_format($item_tax,2); ?></td>
-                  <td class="text-right"><?php echo $client_currency_symbol; ?> <?php echo number_format($item_total,2); ?></td>  
+                  <td class="text-right"><?php echo $client_currency_symbol; ?><?php echo number_format($item_total,2); ?></td>  
                 </tr>
 
                 <?php 
diff --git a/login.php b/login.php
index 6b614dc1..86df9590 100644
--- a/login.php
+++ b/login.php
@@ -24,18 +24,17 @@ session_start();
 
 if(isset($_POST['login'])){
   
-  $username = strip_tags(mysqli_real_escape_string($mysqli,$_POST['username']));
+  $email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
   $password = $_POST['password'];
   $current_code = strip_tags(mysqli_real_escape_string($mysqli,$_POST['current_code']));
   if(!empty($current_code)){
     $current_code = strip_tags(mysqli_real_escape_string($mysqli,$_POST['current_code']));
   }
-  $sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_email = '$username'");
+  $sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_email = '$email'");
   $row = mysqli_fetch_array($sql);
 
   if(password_verify($password, $row['user_password'])){
 
-
     $token = $row['user_token'];
     $_SESSION['user_id'] = $row['user_id'];
     $_SESSION['user_name'] = $row['user_name'];
@@ -77,7 +76,7 @@ if(isset($_POST['login'])){
     }
 
   }else{
-    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = '$username failed to log in', log_ip = '$ip', log_user_agent = '$os - $browser - $device', log_created_at = NOW()");
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = 'Failed login attempt using $email', log_ip = '$ip', log_user_agent = '$os - $browser - $device', log_created_at = NOW()");
 
     $response = "
       <div class='alert alert-danger'>
@@ -118,7 +117,7 @@ if(isset($_POST['login'])){
         <p class="login-box-msg"><?php if(isset($response)) { echo $response; } ?></p>
         <form method="post">
           <div class="input-group mb-3">
-            <input type="text" class="form-control" placeholder="Email" name="username" value="<?php if(!empty($token_field)){ echo $username; }?>" required <?php if(empty($token_field)){ echo "autofocus"; } ?> >
+            <input type="text" class="form-control" placeholder="Email" name="email" value="<?php if(!empty($token_field)){ echo $email; }?>" required <?php if(empty($token_field)){ echo "autofocus"; } ?> >
             <div class="input-group-append">
               <div class="input-group-text">
                 <span class="fas fa-envelope"></span>
@@ -164,4 +163,4 @@ if(isset($_POST['login'])){
   </script>
 
   </body>
-</html>
+</html>
\ No newline at end of file
diff --git a/post.php b/post.php
index e0e23a25..644179ba 100644
--- a/post.php
+++ b/post.php
@@ -21,10 +21,16 @@ if(isset($_POST['change_records_per_page'])){
 if(isset($_GET['switch_company'])){
     $company_id = intval($_GET['switch_company']);
 
-    mysqli_query($mysqli,"UPDATE permissions SET permission_default_company = $company_id WHERE user_id = $session_user_id");
+    //Check to see if user has Permission to access the company
+    if(in_array($company_id,$session_user_company_access_array)){
+        mysqli_query($mysqli,"UPDATE user_settings SET user_default_company = $company_id WHERE user_id = $session_user_id");
 
-    $_SESSION['alert_type'] = "info";
-    $_SESSION['alert_message'] = "Switched Companies!";
+        $_SESSION['alert_type'] = "info";
+        $_SESSION['alert_message'] = "Switched Companies!";
+    }else{
+        $_SESSION['alert_type'] = "danger";
+        $_SESSION['alert_message'] = "What are you trying to DO! WHy did you do this? WHYYY??";
+    }
     
     header("Location: dashboard.php");
   
@@ -35,8 +41,8 @@ if(isset($_POST['add_user'])){
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])));
     $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
-    $company = intval($_POST['company']);
-    $level = intval($_POST['level']);
+    $default_company = intval($_POST['default_company']);
+    $role = intval($_POST['role']);
 
     mysqli_query($mysqli,"INSERT INTO users SET user_name = '$name', user_email = '$email', user_password = '$password', user_created_at = NOW()");
 
@@ -89,9 +95,12 @@ if(isset($_POST['add_user'])){
         }
     }
 
-    //Create Permissions
-    mysqli_query($mysqli,"INSERT INTO permissions SET permission_level = $level, permission_default_company = $company, permission_companies = $company, user_id = $user_id");
-    
+    //Create Settings
+    mysqli_query($mysqli,"INSERT INTO user_settings SET user_id = $user_id, user_role = $role, user_default_company = $default_company");
+
+    //Create Company Access Permissions
+    mysqli_query($mysqli,"INSERT INTO user_companies SET user_id = $user_id, company_id = $default_company");
+
     //logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User', log_action = 'Created', log_description = '$name', log_created_at = NOW()");
 
@@ -107,8 +116,8 @@ if(isset($_POST['edit_user'])){
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])));
     $new_password = trim($_POST['new_password']);
-    $company = intval($_POST['company']);
-    $level = intval($_POST['level']);
+    $default_company = intval($_POST['default_company']);
+    $role = intval($_POST['role']);
     $existing_file_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['existing_file_name'])));
 
     if(!file_exists("uploads/users/$user_id/")) {
@@ -167,8 +176,8 @@ if(isset($_POST['edit_user'])){
         mysqli_query($mysqli,"UPDATE users SET user_password = '$new_password' WHERE user_id = $user_id");
     }
 
-    //Create Permissions
-    mysqli_query($mysqli,"UPDATE permissions SET permission_level = $level, permission_default_company = $company WHERE user_id = $user_id");
+    //Update User Settings
+    mysqli_query($mysqli,"UPDATE user_settings SET user_role = $role, user_default_company = $default_company WHERE user_id = $user_id");
 
     //logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User', log_action = 'Modified', log_description = '$user_name', log_created_at = NOW()");
@@ -251,12 +260,13 @@ if(isset($_POST['edit_profile'])){
 if(isset($_POST['edit_user_companies'])){
 
     $user_id = intval($_POST['user_id']);
-    $companies = mysqli_real_escape_string($mysqli,$_POST['companies']);
 
-    //Turn the Array into a string with , seperation
-    $companies_imploded = implode(",",$companies);
+    mysqli_query($mysqli,"DELETE FROM user_companies WHERE user_id = $user_id");
 
-    mysqli_query($mysqli,"UPDATE permissions SET permission_companies = '$companies_imploded' WHERE user_id = $user_id");
+    foreach($_POST['companies'] as $company){
+        intval($company);
+        mysqli_query($mysqli,"INSERT INTO user_companies SET user_id = $user_id, company_id = $company");
+    }
     
     //logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User', log_action = 'Modified', log_description = '$name', log_created_at = NOW()");
@@ -270,12 +280,13 @@ if(isset($_POST['edit_user_companies'])){
 if(isset($_POST['edit_user_clients'])){
 
     $user_id = intval($_POST['user_id']);
-    $clients = mysqli_real_escape_string($mysqli,$_POST['clients']);
     
-    //Turn the Array into a string with , seperation
-    $clients_imploded = implode(",",$clients);
+    mysqli_query($mysqli,"DELETE FROM user_clients WHERE user_id = $user_id");
 
-    mysqli_query($mysqli,"UPDATE permissions SET permission_clients = '$clients_imploded' WHERE user_id = $user_id");
+    foreach($_POST['clients'] as $client){
+        intval($client);
+        mysqli_query($mysqli,"INSERT INTO user_clients SET user_id = $user_id, client_id = $client");
+    }
     
     //logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'User', log_action = 'Modified', log_description = '$name', log_created_at = NOW()");
@@ -304,7 +315,7 @@ if(isset($_GET['delete_user'])){
     $user_id = intval($_GET['delete_user']);
 
     mysqli_query($mysqli,"DELETE FROM users WHERE user_id = $user_id");
-    mysqli_query($mysqli,"DELETE FROM permissions WHERE user_id = $user_id");
+    mysqli_query($mysqli,"DELETE FROM user_settings WHERE user_id = $user_id");
     mysqli_query($mysqli,"DELETE FROM logs WHERE log_user_id = $user_id");
     mysqli_query($mysqli,"DELETE FROM tickets WHERE ticket_created_by = $user_id");
     mysqli_query($mysqli,"DELETE FROM tickets WHERE ticket_closed_by = $user_id");
@@ -904,7 +915,7 @@ if(isset($_POST['add_client'])){
     }
 
     //Log Add Client
-    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Client', log_action = 'Created', log_description = '$name', log_created_at = NOW(), client_id = $client_id, company_id = $session_company_id, log_user_id = $session_user_id");
+    mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Client', log_action = 'Created', log_description = '$name', log_created_at = NOW(), log_client_id = $client_id, company_id = $session_company_id, log_user_id = $session_user_id");
 
     //Add Location
     if(!empty($address) OR !empty($city) OR !empty($state) OR !empty($zip)){
diff --git a/setup.php b/setup.php
index 4af651d9..80d0dccf 100644
--- a/setup.php
+++ b/setup.php
@@ -441,6 +441,9 @@ if(isset($_POST['add_user'])){
       $_SESSION['alert_message'] = 'There was an error moving the file to upload directory. Please make sure the upload directory is writable by web server.';
     }
   }
+
+  //Create Settings
+  mysqli_query($mysqli,"INSERT INTO user_settings SET user_id = $user_id, user_role = 6, user_default_company = 1");
   
   $_SESSION['alert_message'] = "User <strong>$user_name</strong> created!";
 
diff --git a/side_nav.php b/side_nav.php
index 88fceadf..5bd272e3 100644
--- a/side_nav.php
+++ b/side_nav.php
@@ -7,7 +7,7 @@
     <!-- Sidebar Menu -->
     <nav class="mt-3">
       <?php
-      $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id IN ($session_permission_companies)");
+      $sql = mysqli_query($mysqli,"SELECT * FROM companies WHERE company_id IN ($session_user_company_access)");
       
       if(mysqli_num_rows($sql) > 1){ 
 
@@ -62,7 +62,7 @@
           </a>
         </li>
         
-        <?php if($session_permission_level > 2){ ?>
+        <?php if($session_user_role > 2){ ?>
 
         <li class="nav-header mt-3">SUPPORT</li>
         <li class="nav-item">
@@ -93,7 +93,7 @@
 
         <?php } ?>
 
-        <?php if($session_permission_level == 1 OR $session_permission_level > 3){ ?> 
+        <?php if($session_user_role == 1 OR $session_user_role > 3){ ?> 
 
         <li class="nav-header mt-3">SALES</li>
         <li class="nav-item">
@@ -202,7 +202,7 @@
 
         <?php } ?>
 
-        <?php if($session_permission_level > 3){ ?>
+        <?php if($session_user_role > 3){ ?>
 
         <li class="nav-header mt-3">SETTINGS</li>
         
diff --git a/ticket.php b/ticket.php
index 8b23a127..eae27c71 100644
--- a/ticket.php
+++ b/ticket.php
@@ -123,7 +123,7 @@ if(isset($_GET['ticket_id'])){
     <form class="mb-3" action="post.php" method="post" autocomplete="off">
       <input type="hidden" name="ticket_id" value="<?php echo $ticket_id; ?>">
       <div class="form-group">
-        <textarea class="form-control summernote" name="ticket_reply"></textarea>
+        <textarea class="form-control summernote" name="ticket_reply" required></textarea>
       </div>
       <div class="form-row">
         <div class="col-md-3">
diff --git a/top_nav.php b/top_nav.php
index 00542796..357b84cf 100644
--- a/top_nav.php
+++ b/top_nav.php
@@ -52,7 +52,7 @@
 					<?php } ?>
           <p>
             <?php echo $session_name; ?>
-            <small><?php echo $session_permission_level_display; ?></small>
+            <small><?php echo $session_user_role_display; ?></small>
           </p>
         </li>
         <!-- Menu Footer-->
diff --git a/user_clients_modal.php b/user_clients_modal.php
index 1ea0fd97..af467ccf 100644
--- a/user_clients_modal.php
+++ b/user_clients_modal.php
@@ -19,7 +19,7 @@
           <ul class="list-group">
 
             <?php
-            $sql_clients_select = mysqli_query($mysqli,"SELECT * FROM clients, companies WHERE clients.company_id = companies.company_id AND companies.company_id IN ($permission_companies) ORDER BY client_name ASC");
+            $sql_clients_select = mysqli_query($mysqli,"SELECT * FROM clients, companies WHERE clients.company_id = companies.company_id AND companies.company_id IN ($user_company_access) ORDER BY client_name ASC");
 
             while($row = mysqli_fetch_array($sql_clients_select)){
               $client_id_select = $row['client_id'];
@@ -30,7 +30,7 @@
             ?>
               <li class="list-group-item">
                 <div class="form-check">
-                  <input type="checkbox" class="form-check-input" name="clients[]" value="<?php echo $client_id_select; ?>" <?php if(in_array("$client_id_select",$permission_clients_array)){ echo "checked"; } ?> >
+                  <input type="checkbox" class="form-check-input" name="clients[]" value="<?php echo $client_id_select; ?>" <?php if(in_array("$client_id_select",$user_client_access_array)){ echo "checked"; } ?> >
                   <label class="form-check-label ml-2"><?php echo $client_name_select; ?></label>
                 </div>
               </li>
diff --git a/user_companies_modal.php b/user_companies_modal.php
index 1868353b..88203806 100644
--- a/user_companies_modal.php
+++ b/user_companies_modal.php
@@ -9,7 +9,7 @@
       </div>
       <form action="post.php" method="post" autocomplete="off">
         <input type="hidden" name="user_id" value="<?php echo $user_id; ?>">
-        <input type="hidden" name="companies[]" value="<?php echo $permission_default_company; ?>">
+        <input type="hidden" name="companies[]" value="<?php echo $user_default_company; ?>">
 
         <div class="modal-body bg-white">
 
@@ -29,8 +29,8 @@
             ?>
               <li class="list-group-item">
                 <div class="form-check">
-                  <input type="checkbox" class="form-check-input" name="companies[]" value="<?php echo $company_id_select; ?>" <?php if(in_array("$company_id_select",$permission_companies_array)){ echo "checked"; } ?> <?php if($permission_default_company == $company_id_select){ echo "disabled"; } ?>>
-                  <label class="form-check-label ml-2"><?php echo $company_name_select; ?> <?php if($permission_default_company == $company_id_select){ echo "<small>(Default Company)</small>"; } ?></label>
+                  <input type="checkbox" class="form-check-input" name="companies[]" value="<?php echo $company_id_select; ?>" <?php if(in_array("$company_id_select",$user_company_access_array)){ echo "checked"; } ?> <?php if($user_default_company == $company_id_select){ echo "disabled"; } ?>>
+                  <label class="form-check-label ml-2"><?php echo $company_name_select; ?> <?php if($user_default_company == $company_id_select){ echo "<small>(Default Company)</small>"; } ?></label>
                 </div>
               </li>
 
diff --git a/users.php b/users.php
index 9c09be40..181c1cd7 100644
--- a/users.php
+++ b/users.php
@@ -39,8 +39,8 @@
   //Rebuild URL
   $url_query_strings_sb = http_build_query(array_merge($_GET,array('sb' => $sb, 'o' => $o)));
 
-  $sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM users, permissions
-    WHERE users.user_id = permissions.user_id
+  $sql = mysqli_query($mysqli,"SELECT SQL_CALC_FOUND_ROWS * FROM users, user_settings
+    WHERE users.user_id = user_settings.user_id
     AND (user_name LIKE '%$q%' OR user_email LIKE '%$q%')
     ORDER BY $sb $o LIMIT $record_from, $record_to");
 
@@ -85,24 +85,35 @@
             $user_name = $row['user_name'];
             $user_email = $row['user_email'];
             $user_avatar = $row['user_avatar'];
-            $permission_default_company = $row['permission_default_company'];
-            $permission_level = $row['permission_level'];
-            if($permission_level == 5){
-              $permission_level_display = "Global Administrator";
-            }elseif($permission_level == 4){
-              $permission_level_display = "Administrator";
-            }elseif($permission_level == 3){
-              $permission_level_display = "Technician";
-            }elseif($permission_level == 2){
-              $permission_level_display = "IT Contractor";
+            $user_default_company = $row['user_default_company'];
+            $user_role = $row['user_role'];
+            if($user_role == 6){
+              $user_role_display = "Global Administrator";
+            }elseif($user_role == 5){
+              $user_role_display = "Administrator";
+            }elseif($user_role == 4){
+              $user_role_display = "Technician";
+            }elseif($user_role == 3){
+              $user_role_display = "IT Contractor";
+            }elseif($user_role == 2){
+              $user_role_display = "Client";
             }else{
-              $permission_level_display = "Accounting";  
+              $user_role_display = "Accountant";  
             }
-            $permission_companies = $row['permission_companies'];
-            $permission_companies_array = explode(",",$permission_companies); 
-            $permission_clients = $row['permission_clients'];
-            $permission_clients_array = explode(",",$permission_clients);
-            $permission_actions = $row['permission_actions'];
+            $user_company_access_sql = mysqli_query($mysqli,"SELECT company_id FROM user_companies WHERE user_id = $user_id");
+            $user_company_access_array = array();
+            while($row = mysqli_fetch_array($user_company_access_sql)){
+              $user_company_access_array[] = $row['company_id'];
+            }
+            $user_company_access = implode(',',$user_company_access_array);
+
+            $user_client_access_sql = mysqli_query($mysqli,"SELECT client_id FROM user_clients WHERE user_id = $user_id");
+            $user_client_access_array = array();
+            while($row = mysqli_fetch_array($user_client_access_sql)){
+              $user_client_access_array[] = $row['client_id'];
+            }
+            $user_client_access = implode(',',$user_client_access_array);
+
             $user_initials = initials($user_name);
 
             $sql_last_login = mysqli_query($mysqli,"SELECT * FROM logs 
@@ -137,7 +148,7 @@
               </a>
             </td>
             <td><a href="mailto:<?php echo $email; ?>"><?php echo $user_email; ?></a></td>
-            <td><?php echo $permission_level_display; ?></td>
+            <td><?php echo $user_role_display; ?></td>
             <td>-</td>
             <td><?php echo $log_created_at; ?> <br> <small class="text-secondary"><?php echo $last_login; ?></small></td>
             <td>