From e6a314d2332310fafea0f73728f4f33978b02f00 Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sun, 27 Mar 2022 15:32:40 +0100
Subject: [PATCH] Prevent tech/accountant from performing certain tasks as per
 access matrix

---
 client.php              |  30 ++-
 client_assets.php       |   8 +-
 client_certificates.php |   6 +-
 client_contacts.php     |  10 +-
 client_documents.php    |   6 +-
 client_domains.php      |   6 +-
 client_logins.php       |   4 +-
 client_networks.php     |   6 +-
 client_services.php     |   6 +-
 client_software.php     |   6 +-
 client_tickets.php      |   6 +-
 client_vendors.php      |   6 +-
 clients.php             |  48 ++--
 inc_all_admin.php       |   8 +
 post.php                | 574 +++++++++++++++++++++++++++++++++++++++-
 side_nav.php            |   4 +-
 ticket.php              |  12 +-
 tickets.php             |   8 +-
 18 files changed, 678 insertions(+), 76 deletions(-)

diff --git a/client.php b/client.php
index 76139efa..e04cbcc0 100644
--- a/client.php
+++ b/client.php
@@ -235,7 +235,7 @@ $location_phone = formatPhoneNumber($location_phone);
         } 
         ?>
       </div>
-      <?php if($session_user_role == 1 OR $session_user_role > 2){ ?>
+      <?php if($session_user_role == 1 OR $session_user_role == 3){ ?>
       <div class="col-md-3 border-left">
         <h4 class="text-secondary">Billing</h4>
         <h6 class="ml-1 text-secondary">Paid <div class="text-dark float-right"> <?php echo numfmt_format_currency($currency_format, $amount_paid, $client_currency_code); ?></div></h6>
@@ -248,20 +248,22 @@ $location_phone = formatPhoneNumber($location_phone);
         <h6 class="ml-1 text-secondary">Open Tickets <div class="text-dark float-right"><?php echo $num_active_tickets; ?></div></h6>
       </div>
       <div class="col-md-1 border-left">
-        <div class="dropdown dropleft text-center">
-          <button class="btn btn-dark btn-sm float-right" type="button" data-toggle="dropdown">
-            <i class="fas fa-fw fa-ellipsis-v"></i>
-          </button>
-          <div class="dropdown-menu">
-            <a class="dropdown-item" href="client_print.php?client_id=<?php echo $client_id; ?>">Print</a>
-            <a class="dropdown-item" href="post.php?export_client_pdf=<?php echo $client_id; ?>" target="_blank">Export PDF<br><small class="text-secondary">(without passwords)</small></a>
-            <a class="dropdown-item" href="post.php?export_client_pdf=<?php echo $client_id; ?>&passwords" target="_blank">Export PDF<br><small class="text-secondary">(with passwords)</small></a>
-            <div class="dropdown-divider"></div>
-            <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editClientModal<?php echo $client_id; ?>">Edit</a>
-            <div class="dropdown-divider"></div>
-            <a class="dropdown-item text-danger" href="#" data-toggle="modal" data-target="#deleteClientModal<?php echo $client_id; ?>">Delete</a>
+        <?php if($session_user_role == 3) { ?>
+          <div class="dropdown dropleft text-center">
+            <button class="btn btn-dark btn-sm float-right" type="button" data-toggle="dropdown">
+              <i class="fas fa-fw fa-ellipsis-v"></i>
+            </button>
+            <div class="dropdown-menu">
+              <a class="dropdown-item" href="client_print.php?client_id=<?php echo $client_id; ?>">Print</a>
+              <a class="dropdown-item" href="post.php?export_client_pdf=<?php echo $client_id; ?>" target="_blank">Export PDF<br><small class="text-secondary">(without passwords)</small></a>
+              <a class="dropdown-item" href="post.php?export_client_pdf=<?php echo $client_id; ?>&passwords" target="_blank">Export PDF<br><small class="text-secondary">(with passwords)</small></a>
+              <div class="dropdown-divider"></div>
+              <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editClientModal<?php echo $client_id; ?>">Edit</a>
+              <div class="dropdown-divider"></div>
+              <a class="dropdown-item text-danger" href="#" data-toggle="modal" data-target="#deleteClientModal<?php echo $client_id; ?>">Delete</a>
+            </div>
           </div>
-        </div>
+        <?php } ?>
       </div>
     </div>
   </div>
diff --git a/client_assets.php b/client_assets.php
index 87992935..0fead289 100644
--- a/client_assets.php
+++ b/client_assets.php
@@ -346,10 +346,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editAssetModal<?php echo $asset_id; ?>">Edit</a>
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#copyAssetModal<?php echo $asset_id; ?>">Copy</a>
                   <?php if($ticket_count > 0){ ?>
-                  <a class="dropdown-item" href="#" data-toggle="modal" data-target="#assetTicketsModal<?php echo $asset_id; ?>">Tickets (<?php echo $ticket_count; ?>)</a>
+                    <a class="dropdown-item" href="#" data-toggle="modal" data-target="#assetTicketsModal<?php echo $asset_id; ?>">Tickets (<?php echo $ticket_count; ?>)</a>
+                  <?php } ?>
+                  <?php if($session_user_role == 3) { ?>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="post.php?delete_asset=<?php echo $asset_id; ?>">Delete</a>
                   <?php } ?>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?delete_asset=<?php echo $asset_id; ?>">Delete</a>
                 </div>
               </div>
             </td>
diff --git a/client_certificates.php b/client_certificates.php
index df820aa0..19f00f85 100644
--- a/client_certificates.php
+++ b/client_certificates.php
@@ -112,8 +112,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 </button>
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" onclick="populateCertificateEditModal(<?php echo $client_id, ",", $certificate_id ?>)" data-target="#editCertificateModal">Edit</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?delete_certificate=<?php echo $certificate_id; ?>">Delete</a>
+                  <?php if($session_user_role == 3) { ?>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="post.php?delete_certificate=<?php echo $certificate_id; ?>">Delete</a>
+                  <?php } ?>
                 </div>
               </div>
             </td>
diff --git a/client_contacts.php b/client_contacts.php
index 680d148e..b883b1e4 100644
--- a/client_contacts.php
+++ b/client_contacts.php
@@ -219,10 +219,12 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#contactDetailsModal<?php echo $contact_id; ?>">View Details</a>
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editContactModal<?php echo $contact_id; ?>">Edit</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?archive_contact=<?php echo $contact_id; ?>">Archive</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger text-bold" href="post.php?delete_contact=<?php echo $contact_id; ?>">Delete</a>
+                  <?php if($session_user_role == 3) { ?>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="post.php?archive_contact=<?php echo $contact_id; ?>">Archive</a>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger text-bold" href="post.php?delete_contact=<?php echo $contact_id; ?>">Delete</a>
+                  <?php } ?>
                 </div>
               </div> 
             </td>
diff --git a/client_documents.php b/client_documents.php
index bbe50682..86afb59f 100644
--- a/client_documents.php
+++ b/client_documents.php
@@ -179,8 +179,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editDocumentModal<?php echo $document_id; ?>">Edit</a>
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#shareModal" onclick="populateShareModal(<?php echo "$client_id, 'Document', $document_id"; ?>)">Share</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?delete_document=<?php echo $document_id; ?>">Delete</a>
+                  <?php if($session_user_role == 3) { ?>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="post.php?delete_document=<?php echo $document_id; ?>">Delete</a>
+                  <?php } ?>
                 </div>
               </div>
               <?php include("client_document_view_modal.php"); ?>      
diff --git a/client_domains.php b/client_domains.php
index 94b7d38c..3ddd7dc3 100644
--- a/client_domains.php
+++ b/client_domains.php
@@ -124,8 +124,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 </button>
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" onclick="populateDomainEditModal(<?php echo $client_id, ",", $domain_id ?>)" data-target="#editDomainModal">Edit</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?delete_domain=<?php echo $domain_id; ?>">Delete</a>
+                  <?php if($session_user_role == 3) { ?>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="post.php?delete_domain=<?php echo $domain_id; ?>">Delete</a>
+                  <?php } ?>
                 </div>
               </div>
             </td>
diff --git a/client_logins.php b/client_logins.php
index 1db58013..477e45be 100644
--- a/client_logins.php
+++ b/client_logins.php
@@ -148,8 +148,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editLoginModal<?php echo $login_id; ?>">Edit</a>
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#shareModal" onclick="populateShareModal(<?php echo "$client_id, 'Login', $login_id"; ?>)">Share</a>
+                  <?php if($session_user_role == 3) { ?>
                     <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?delete_login=<?php echo $login_id; ?>">Delete</a>
+                    <a class="dropdown-item text-danger" href="post.php?delete_login=<?php echo $login_id; ?>">Delete</a>
+                  <?php } ?>
                 </div>
               </div> 
             </td>
diff --git a/client_networks.php b/client_networks.php
index dbf9218a..4e599a46 100644
--- a/client_networks.php
+++ b/client_networks.php
@@ -138,8 +138,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 </button>
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" onclick="populateNetworkEditModal(<?php echo $client_id, ",", $network_id ?>)" data-target="#editNetworkModal">Edit</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?delete_network=<?php echo $network_id; ?>">Delete</a>
+                  <?php if($session_user_role == 3) { ?>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="post.php?delete_network=<?php echo $network_id; ?>">Delete</a>
+                  <?php } ?>
                 </div>
               </div>
             </td>
diff --git a/client_services.php b/client_services.php
index d72b405e..e137baf1 100644
--- a/client_services.php
+++ b/client_services.php
@@ -91,8 +91,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                             </button>
                             <div class="dropdown-menu">
                                 <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editServiceModal<?php echo $service_id; ?>">Edit</a>
-                                <div class="dropdown-divider"></div>
-                                <a class="dropdown-item text-danger" href="post.php?delete_service=<?php echo $service_id; ?>">Delete</a>
+                                <?php if($session_user_role == 3) { ?>
+                                  <div class="dropdown-divider"></div>
+                                  <a class="dropdown-item text-danger" href="post.php?delete_service=<?php echo $service_id; ?>">Delete</a>
+                                <?php } ?>
                             </div>
                         </div>
                     </td>
diff --git a/client_software.php b/client_software.php
index 75ac57f8..740b6bbc 100644
--- a/client_software.php
+++ b/client_software.php
@@ -186,8 +186,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 </button>
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editSoftwareModal<?php echo $software_id; ?>">Edit</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?delete_software=<?php echo $software_id; ?>">Delete</a>
+                  <?php if($session_user_role == 3) { ?>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="post.php?delete_software=<?php echo $software_id; ?>">Delete</a>
+                  <?php } ?>
                 </div>
               </div> 
             </td>
diff --git a/client_tickets.php b/client_tickets.php
index a5f58320..534df573 100644
--- a/client_tickets.php
+++ b/client_tickets.php
@@ -191,8 +191,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                   </button>
                   <div class="dropdown-menu">
                     <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editTicketModal<?php echo $ticket_id; ?>">Edit</a>
-                    <div class="dropdown-divider"></div>
-                    <a class="dropdown-item text-danger" href="post.php?delete_ticket=<?php echo $ticket_id; ?>">Delete</a>
+                    <?php if($session_user_role == 3) { ?>
+                      <div class="dropdown-divider"></div>
+                      <a class="dropdown-item text-danger" href="post.php?delete_ticket=<?php echo $ticket_id; ?>">Delete</a>
+                    <?php } ?>
                   </div>
                 </div>
               <?php } ?>
diff --git a/client_vendors.php b/client_vendors.php
index 7e0cb211..ae9dcfab 100644
--- a/client_vendors.php
+++ b/client_vendors.php
@@ -175,8 +175,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
                 </button>
                 <div class="dropdown-menu">
                   <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editVendorModal<?php echo $vendor_id; ?>">Edit</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="post.php?delete_vendor=<?php echo $vendor_id; ?>">Delete</a>
+                  <?php if($session_user_role == 3) { ?>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="post.php?delete_vendor=<?php echo $vendor_id; ?>">Delete</a>
+                  <?php } ?>
                 </div>
               </div>
             </td>
diff --git a/clients.php b/clients.php
index 5de1d043..47fbf741 100644
--- a/clients.php
+++ b/clients.php
@@ -107,7 +107,9 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
   <div class="card-header py-2">
     <h3 class="card-title mt-2"><i class="fa fa-fw fa-users"></i> Clients</h3>
     <div class="card-tools">
-      <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addClientModal"><i class="fas fa-fw fa-plus"></i> New Client</button>
+      <?php if($session_user_role == 3) { ?>
+        <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#addClientModal"><i class="fas fa-fw fa-plus"></i> New Client</button>
+      <?php } ?>
     </div>
   </div>
 
@@ -165,8 +167,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
             <th><a class="text-dark" href="?<?php echo $url_query_strings_sortby; ?>&sortby=client_name&order=<?php echo $order_display; ?>">Name</a></th>
             <th><a class="text-dark" href="?<?php echo $url_query_strings_sortby; ?>&sortby=location_city&order=<?php echo $order_display; ?>">Address </a></th>
             <th><a class="text-dark" href="?<?php echo $url_query_strings_sortby; ?>&sortby=contact_name&order=<?php echo $order_display; ?>">Contact</a></th>
-            <th class="text-right">Billing</th>
-            <th class="text-center">Action</th>
+            <?php if($session_user_role == 3 OR $session_user_role == 1) { ?> <th class="text-right">Billing</th> <?php } ?>
+            <?php if($session_user_role == 3) { ?> <th class="text-center">Action</th> <?php } ?>
           </tr>
         </thead>
         <tbody>
@@ -306,23 +308,31 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
               }
               ?>
             </td>
-            <td class="text-right">
-              <span class="text-secondary">Balance</span> <span class="<?php echo $balance_text_color; ?>"><?php echo numfmt_format_currency($currency_format, $balance, $session_company_currency); ?></span>
-              <br>
-              <span class="text-secondary">Paid</span> <?php echo numfmt_format_currency($currency_format, $amount_paid, $session_company_currency); ?>
-            </td>
-            <td>
-              <div class="dropdown dropleft text-center">
-                <button class="btn btn-secondary btn-sm" type="button" data-toggle="dropdown">
-                  <i class="fas fa-ellipsis-h"></i>
-                </button>
-                <div class="dropdown-menu">
-                  <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editClientModal<?php echo $client_id; ?>">Edit</a>
-                  <div class="dropdown-divider"></div>
-                  <a class="dropdown-item text-danger" href="#" data-toggle="modal" data-target="#deleteClientModal<?php echo $client_id; ?>">Delete</a>
+
+            <!-- Show Billing for Admin/Accountant roles only -->
+            <?php if($session_user_role == 3 OR $session_user_role == 1) { ?>
+              <td class="text-right">
+                <span class="text-secondary">Balance</span> <span class="<?php echo $balance_text_color; ?>"><?php echo numfmt_format_currency($currency_format, $balance, $session_company_currency); ?></span>
+                <br>
+                <span class="text-secondary">Paid</span> <?php echo numfmt_format_currency($currency_format, $amount_paid, $session_company_currency); ?>
+              </td>
+            <?php } ?>
+
+            <!-- Show actions for Admin role only -->
+            <?php //if($session_user_role == 3) { ?>
+              <td>
+                <div class="dropdown dropleft text-center">
+                  <button class="btn btn-secondary btn-sm" type="button" data-toggle="dropdown">
+                    <i class="fas fa-ellipsis-h"></i>
+                  </button>
+                  <div class="dropdown-menu">
+                    <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editClientModal<?php echo $client_id; ?>">Edit</a>
+                    <div class="dropdown-divider"></div>
+                    <a class="dropdown-item text-danger" href="#" data-toggle="modal" data-target="#deleteClientModal<?php echo $client_id; ?>">Delete</a>
+                  </div>
                 </div>
-              </div>
-            </td>
+              </td>
+            <?php //} ?>
           </tr>
 
           <?php
diff --git a/inc_all_admin.php b/inc_all_admin.php
index cbe2fce1..122c9782 100644
--- a/inc_all_admin.php
+++ b/inc_all_admin.php
@@ -3,6 +3,14 @@
 include("config.php");
 include_once("functions.php");
 include("check_login.php");
+
+if($session_user_role != 3){
+  $_SESSION['alert_type'] = "danger";
+  $_SESSION['alert_message'] = "You are not permitted to do that!";
+  header("Location: index.php");
+  exit();
+}
+
 include("header.php");
 include("top_nav.php");
 include("admin_side_nav.php");
diff --git a/post.php b/post.php
index 597d01e4..5f7fac53 100644
--- a/post.php
+++ b/post.php
@@ -716,6 +716,13 @@ if(isset($_POST['verify'])){
 
 if(isset($_POST['edit_general_settings'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $config_base_url = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_base_url'])));
     $mesh_uri = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['meshcentral_uri'])));
     $mesh_user = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['meshcentral_user'])));
@@ -736,6 +743,13 @@ if(isset($_POST['edit_general_settings'])){
 
 if(isset($_POST['edit_mail_settings'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $config_smtp_host = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_smtp_host'])));
     $config_smtp_port = intval($_POST['config_smtp_port']);
     $config_smtp_username = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_smtp_username'])));
@@ -781,6 +795,14 @@ if(isset($_POST['edit_mail_settings'])){
 }
 
 if(isset($_POST['test_email'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $email = strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']));
 
     $mail = new PHPMailer(true);
@@ -818,6 +840,13 @@ if(isset($_POST['test_email'])){
 
 if(isset($_POST['edit_invoice_settings'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $config_invoice_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_invoice_prefix'])));
     $config_invoice_next_number = intval($_POST['config_invoice_next_number']);
     $config_invoice_footer = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_invoice_footer'])));
@@ -840,6 +869,13 @@ if(isset($_POST['edit_invoice_settings'])){
 
 if(isset($_POST['edit_quote_settings'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $config_quote_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_quote_prefix'])));
     $config_quote_next_number = intval($_POST['config_quote_next_number']);
     $config_quote_footer = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_quote_footer'])));
@@ -859,6 +895,13 @@ if(isset($_POST['edit_quote_settings'])){
 
 if(isset($_POST['edit_ticket_settings'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $config_ticket_prefix = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_ticket_prefix'])));
     $config_ticket_next_number = intval($_POST['config_ticket_next_number']);
     $config_ticket_from_email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_ticket_from_email'])));
@@ -877,6 +920,13 @@ if(isset($_POST['edit_ticket_settings'])){
 
 if(isset($_POST['edit_default_settings'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $expense_account = intval($_POST['expense_account']);
     $payment_account = intval($_POST['payment_account']);
     $payment_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['payment_method'])));
@@ -898,6 +948,13 @@ if(isset($_POST['edit_default_settings'])){
 
 if(isset($_POST['edit_alert_settings'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $config_enable_cron = intval($_POST['config_enable_cron']);
     $config_enable_alert_domain_expire = intval($_POST['config_enable_alert_domain_expire']);
     $config_send_invoice_reminders = intval($_POST['config_send_invoice_reminders']);
@@ -916,6 +973,13 @@ if(isset($_POST['edit_alert_settings'])){
 
 if(isset($_POST['edit_online_payment_settings'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $config_stripe_enable = intval($_POST['config_stripe_enable']);
     $config_stripe_publishable = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_stripe_publishable'])));
     $config_stripe_secret = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['config_stripe_secret'])));
@@ -960,6 +1024,13 @@ if(isset($_POST['disable_2fa'])){
 
 if(isset($_GET['download_database'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     // Get All Table Names From the Database
     $tables = array();
     $sql = "SHOW TABLES";
@@ -1039,7 +1110,12 @@ if(isset($_GET['download_database'])){
 
 if(isset($_POST['backup_master_key'])){
 
-    //TODO: Verify the user is authorised to view the key?
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
 
     $password = $_POST['password'];
 
@@ -1070,7 +1146,14 @@ if(isset($_POST['backup_master_key'])){
 }
 
 if(isset($_GET['update'])){
-    //also check to make sure someone has admin before running this function
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     exec("git pull");
 
     //FORCE UPDATE FUNCTION (Will be added later as a checkbox)
@@ -1092,6 +1175,13 @@ if(isset($_GET['update'])){
 
 if(isset($_GET['update_db'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     //Alter SQL Structure
 
     //Put ID Here
@@ -1120,6 +1210,13 @@ if(isset($_GET['update_db'])){
 
 if(isset($_POST['add_client'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['type'])));
     $location_phone = preg_replace("/[^0-9]/", '',$_POST['location_phone']);
@@ -1195,6 +1292,13 @@ if(isset($_POST['add_client'])){
 
 if(isset($_POST['edit_client'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['type'])));
@@ -1226,7 +1330,8 @@ if(isset($_POST['edit_client'])){
 }
 
 if(isset($_GET['delete_client'])){
-    if($session_user_role !== "3"){
+
+    if($session_user_role != 3){
         $_SESSION['alert_type'] = "danger";
         $_SESSION['alert_message'] = "You are not permitted to do that!";
         header("Location: " . $_SERVER["HTTP_REFERER"]);
@@ -3973,6 +4078,13 @@ if(isset($_GET['delete_revenue'])){
 
 if(isset($_POST['add_contact'])){
 
+    if($session_user_role = 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $title = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['title'])));
@@ -4053,6 +4165,13 @@ if(isset($_POST['add_contact'])){
 
 if(isset($_POST['edit_contact'])){
 
+    if($session_user_role = 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $contact_id = intval($_POST['contact_id']);
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@@ -4141,6 +4260,14 @@ if(isset($_POST['edit_contact'])){
 }
 
 if(isset($_GET['archive_contact'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $contact_id = intval($_GET['archive_contact']);
 
     mysqli_query($mysqli,"UPDATE contacts SET contact_archived_at = NOW() WHERE contact_id = $contact_id");
@@ -4155,6 +4282,14 @@ if(isset($_GET['archive_contact'])){
 }
 
 if(isset($_GET['delete_contact'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $contact_id = intval($_GET['delete_contact']);
 
     mysqli_query($mysqli,"DELETE FROM contacts WHERE contact_id = $contact_id AND company_id = $session_company_id");
@@ -4212,6 +4347,13 @@ if(isset($_GET['export_client_contacts_csv'])){
 
 if(isset($_POST['add_location'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $country = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['country'])));
@@ -4291,6 +4433,13 @@ if(isset($_POST['add_location'])){
 
 if(isset($_POST['edit_location'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $location_id = intval($_POST['location_id']);
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@@ -4373,6 +4522,14 @@ if(isset($_POST['edit_location'])){
 }
 
 if(isset($_GET['delete_location'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $location_id = intval($_GET['delete_location']);
 
     mysqli_query($mysqli,"DELETE FROM locations WHERE location_id = $location_id AND company_id = $session_company_id");
@@ -4431,6 +4588,13 @@ if(isset($_GET['export_client_locations_csv'])){
 // Client Departments
 if(isset($_POST['add_department'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $department_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['department_name'])));
 
@@ -4449,6 +4613,13 @@ if(isset($_POST['add_department'])){
 
 if(isset($_POST['edit_department'])){
 
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $department_id = intval($_POST['department_id']);
     $client_id = intval($_POST['client_id']);
     $department_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['department_name'])));
@@ -4465,6 +4636,14 @@ if(isset($_POST['edit_department'])){
 }
 
 if(isset($_GET['archive_department'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $department_id = intval($_GET['archive_department']);
 
     mysqli_query($mysqli,"UPDATE departments SET department_archived_at = NOW() WHERE department_id = $department_id");
@@ -4479,6 +4658,14 @@ if(isset($_GET['archive_department'])){
 }
 
 if(isset($_GET['delete_department'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $department_id = intval($_GET['delete_department']);
 
     mysqli_query($mysqli,"DELETE FROM departments WHERE department_id = $department_id AND company_id = $session_company_id");
@@ -4494,6 +4681,13 @@ if(isset($_GET['delete_department'])){
 
 if(isset($_POST['add_asset'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $type = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['type'])));
@@ -4543,6 +4737,13 @@ if(isset($_POST['add_asset'])){
 
 if(isset($_POST['edit_asset'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $asset_id = intval($_POST['asset_id']);
     $login_id = intval($_POST['login_id']);
     $client_id = intval($_POST['client_id']);
@@ -4598,6 +4799,14 @@ if(isset($_POST['edit_asset'])){
 }
 
 if(isset($_GET['delete_asset'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $asset_id = intval($_GET['delete_asset']);
 
     mysqli_query($mysqli,"DELETE FROM assets WHERE asset_id = $asset_id AND company_id = $session_company_id");
@@ -4612,6 +4821,14 @@ if(isset($_GET['delete_asset'])){
 }
 
 if(isset($_POST["import_client_assets_csv"])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $file_name = $_FILES["file"]["tmp_name"];
     $error = FALSE;
@@ -4741,6 +4958,14 @@ if(isset($_GET['download_client_assets_csv_template'])){
 }
 
 if(isset($_GET['export_client_assets_csv'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_GET['export_client_assets_csv']);
 
     //get records from database
@@ -4783,6 +5008,13 @@ if(isset($_GET['export_client_assets_csv'])){
 
 if(isset($_POST['add_software'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $version = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['version'])));
@@ -4840,6 +5072,13 @@ if(isset($_POST['add_software'])){
 
 if(isset($_POST['edit_software'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $software_id = intval($_POST['software_id']);
     $login_id = intval($_POST['login_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@@ -4903,6 +5142,14 @@ if(isset($_POST['edit_software'])){
 }
 
 if(isset($_GET['delete_software'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $software_id = intval($_GET['delete_software']);
 
     mysqli_query($mysqli,"DELETE FROM software WHERE software_id = $software_id AND company_id = $session_company_id");
@@ -4921,6 +5168,14 @@ if(isset($_GET['delete_software'])){
 }
 
 if(isset($_GET['export_client_software_csv'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_GET['export_client_software_csv']);
 
     //get records from database
@@ -4963,6 +5218,13 @@ if(isset($_GET['export_client_software_csv'])){
 
 if(isset($_POST['add_login'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $uri = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['uri'])));
@@ -4988,6 +5250,13 @@ if(isset($_POST['add_login'])){
 
 if(isset($_POST['edit_login'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $login_id = intval($_POST['login_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $uri = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['uri'])));
@@ -5012,6 +5281,14 @@ if(isset($_POST['edit_login'])){
 }
 
 if(isset($_GET['delete_login'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $login_id = intval($_GET['delete_login']);
 
     mysqli_query($mysqli,"DELETE FROM logins WHERE login_id = $login_id AND company_id = $session_company_id");
@@ -5026,6 +5303,14 @@ if(isset($_GET['delete_login'])){
 }
 
 if(isset($_GET['export_client_logins_csv'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_GET['export_client_logins_csv']);
 
     //get records from database
@@ -5069,7 +5354,14 @@ if(isset($_GET['export_client_logins_csv'])){
 
 if(isset($_POST['add_network'])){
 
-    $client_id = intval($_POST['client_id']);
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
+  $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $vlan = intval($_POST['vlan']);
     $network = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['network'])));
@@ -5090,6 +5382,13 @@ if(isset($_POST['add_network'])){
 
 if(isset($_POST['edit_network'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $network_id = intval($_POST['network_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $vlan = intval($_POST['vlan']);
@@ -5110,6 +5409,13 @@ if(isset($_POST['edit_network'])){
 }
 
 if(isset($_GET['delete_network'])){
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $network_id = intval($_GET['delete_network']);
 
     mysqli_query($mysqli,"DELETE FROM networks WHERE network_id = $network_id AND company_id = $session_company_id");
@@ -5124,6 +5430,14 @@ if(isset($_GET['delete_network'])){
 }
 
 if(isset($_GET['export_client_networks_csv'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_GET['export_client_networks_csv']);
 
     //get records from database
@@ -5165,6 +5479,13 @@ if(isset($_GET['export_client_networks_csv'])){
 }
 
 if(isset($_POST['add_certificate'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
  
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@@ -5188,8 +5509,6 @@ if(isset($_POST['add_certificate'])){
         $expire = "0000-00-00";
     }
 
-
-
     mysqli_query($mysqli,"INSERT INTO certificates SET certificate_name = '$name', certificate_domain = '$domain', certificate_issued_by = '$issued_by', certificate_expire = '$expire', certificate_created_at = NOW(), certificate_public_key = '$public_key', certificate_domain_id = $domain_id, certificate_client_id = $client_id, company_id = $session_company_id");
 
     //Logging
@@ -5203,6 +5522,13 @@ if(isset($_POST['add_certificate'])){
 
 if(isset($_POST['edit_certificate'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $certificate_id = intval($_POST['certificate_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $domain = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['domain'])));
@@ -5237,6 +5563,14 @@ if(isset($_POST['edit_certificate'])){
 }
 
 if(isset($_GET['delete_certificate'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $certificate_id = intval($_GET['delete_certificate']);
 
     mysqli_query($mysqli,"DELETE FROM certificates WHERE certificate_id = $certificate_id AND company_id = $session_company_id");
@@ -5251,6 +5585,14 @@ if(isset($_GET['delete_certificate'])){
 }
 
 if(isset($_GET['export_client_certificates_csv'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_GET['export_client_certificates_csv']);
 
     //get records from database
@@ -5293,6 +5635,13 @@ if(isset($_GET['export_client_certificates_csv'])){
 
 if(isset($_POST['add_domain'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $registrar = intval($_POST['registrar']);
@@ -5338,6 +5687,13 @@ if(isset($_POST['add_domain'])){
 
 if(isset($_POST['edit_domain'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $domain_id = intval($_POST['domain_id']);
     $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $registrar = intval($_POST['registrar']);
@@ -5382,6 +5738,14 @@ if(isset($_POST['edit_domain'])){
 }
 
 if(isset($_GET['delete_domain'])){
+
+      if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $domain_id = intval($_GET['delete_domain']);
 
     mysqli_query($mysqli,"DELETE FROM domains WHERE domain_id = $domain_id AND company_id = $session_company_id");
@@ -5396,6 +5760,14 @@ if(isset($_GET['delete_domain'])){
 }
 
 if(isset($_GET['export_client_domains_csv'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_GET['export_client_domains_csv']);
 
     //get records from database
@@ -5439,6 +5811,13 @@ if(isset($_GET['export_client_domains_csv'])){
 
 if(isset($_POST['add_ticket'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     // HTML Purifier
     require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
     $purifier_config = HTMLPurifier_Config::createDefault();
@@ -5477,6 +5856,13 @@ if(isset($_POST['add_ticket'])){
 
 if(isset($_POST['add_scheduled_ticket'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     // HTML Purifier
     require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
     $purifier_config = HTMLPurifier_Config::createDefault();
@@ -5512,6 +5898,13 @@ if(isset($_POST['add_scheduled_ticket'])){
 
 if(isset($_POST['edit_scheduled_ticket'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     // HTML Purifier
     require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
     $purifier_config = HTMLPurifier_Config::createDefault();
@@ -5540,6 +5933,14 @@ if(isset($_POST['edit_scheduled_ticket'])){
 }
 
 if(isset($_GET['delete_scheduled_ticket'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $scheduled_ticket_id = intval($_GET['delete_scheduled_ticket']);
 
     // Delete
@@ -5555,6 +5956,13 @@ if(isset($_GET['delete_scheduled_ticket'])){
 
 if(isset($_POST['edit_ticket'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     // HTML Purifier
     require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
     $purifier_config = HTMLPurifier_Config::createDefault();
@@ -5582,6 +5990,13 @@ if(isset($_POST['edit_ticket'])){
 
 if(isset($_POST['assign_ticket'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $ticket_id = intval($_POST['ticket_id']);
     $assigned_to = intval($_POST['assigned_to']);
 
@@ -5599,6 +6014,14 @@ if(isset($_POST['assign_ticket'])){
 }
 
 if(isset($_GET['delete_ticket'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $ticket_id = intval($_GET['delete_ticket']);
 
     mysqli_query($mysqli,"DELETE FROM tickets WHERE ticket_id = $ticket_id AND company_id = $session_company_id");
@@ -5614,7 +6037,14 @@ if(isset($_GET['delete_ticket'])){
 
 if(isset($_POST['add_ticket_reply'])){
 
-    // HTML Purifier
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
+  // HTML Purifier
     require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
     $purifier_config = HTMLPurifier_Config::createDefault();
     $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
@@ -5701,7 +6131,14 @@ if(isset($_POST['add_ticket_reply'])){
 
 if(isset($_POST['edit_ticket_reply'])){
 
-    // HTML Purifier
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
+  // HTML Purifier
     require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
     $purifier_config = HTMLPurifier_Config::createDefault();
     $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
@@ -5722,6 +6159,14 @@ if(isset($_POST['edit_ticket_reply'])){
 }
 
 if(isset($_GET['archive_ticket_reply'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $ticket_reply_id = intval($_GET['archive_ticket_reply']);
 
     mysqli_query($mysqli,"UPDATE ticket_replies SET ticket_reply_archived_at = NOW() WHERE ticket_reply_id = $ticket_reply_id AND company_id = $session_company_id");
@@ -5736,6 +6181,14 @@ if(isset($_GET['archive_ticket_reply'])){
 }
 
 if(isset($_POST['merge_ticket'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $ticket_id = intval($_POST['ticket_id']);
     $merge_into_ticket_number = intval($_POST['merge_into_ticket_number']);
     $merge_comment = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['merge_comment'])));
@@ -5787,6 +6240,13 @@ if(isset($_POST['merge_ticket'])){
 
 if(isset($_GET['close_ticket'])){
 
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $ticket_id = intval($_GET['close_ticket']);
 
     mysqli_query($mysqli,"UPDATE tickets SET ticket_status = 'Closed', ticket_updated_at = NOW(), ticket_closed_at = NOW(), ticket_closed_by = $session_user_id WHERE ticket_id = $ticket_id AND company_id = $session_company_id") or die(mysqli_error($mysqli));
@@ -5895,6 +6355,14 @@ if(isset($_POST['add_invoice_from_ticket'])){
 }
 
 if(isset($_GET['export_client_tickets_csv'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_GET['export_client_tickets_csv']);
 
     //get records from database
@@ -5936,6 +6404,14 @@ if(isset($_GET['export_client_tickets_csv'])){
 }
 
 if(isset($_POST['add_service'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $service_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
     $service_description = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['description'])));
@@ -6028,6 +6504,14 @@ if(isset($_POST['add_service'])){
 }
 
 if(isset($_POST['edit_service'])){
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $service_id = intval($_POST['service_id']);
     $service_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
@@ -6122,6 +6606,14 @@ if(isset($_POST['edit_service'])){
 }
 
 if(isset($_GET['delete_service'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $service_id = intval($_GET['delete_service']);
 
     // Delete service
@@ -6210,6 +6702,14 @@ if(isset($_POST['add_file'])){
 }
 
 if(isset($_GET['delete_file'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $file_id = intval($_GET['delete_file']);
 
     $sql_file = mysqli_query($mysqli,"SELECT * FROM files WHERE file_id = $file_id AND company_id = $session_company_id");
@@ -6232,7 +6732,14 @@ if(isset($_GET['delete_file'])){
 
 if(isset($_POST['add_document'])){
 
-    // HTML Purifier
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
+  // HTML Purifier
     require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
     $purifier_config = HTMLPurifier_Config::createDefault();
     $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
@@ -6267,7 +6774,14 @@ if(isset($_POST['add_document'])){
 
 if(isset($_POST['edit_document'])){
 
-    // HTML Purifier
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
+  // HTML Purifier
     require("plugins/htmlpurifier/HTMLPurifier.standalone.php");
     $purifier_config = HTMLPurifier_Config::createDefault();
     $purifier_config->set('URI.AllowedSchemes', ['data' => true, 'src' => true, 'http' => true, 'https' => true]);
@@ -6303,6 +6817,14 @@ if(isset($_POST['edit_document'])){
 }
 
 if(isset($_GET['delete_document'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $document_id = intval($_GET['delete_document']);
 
     mysqli_query($mysqli,"DELETE FROM documents WHERE document_id = $document_id AND company_id = $session_company_id");
@@ -6320,6 +6842,14 @@ if(isset($_GET['delete_document'])){
 }
 
 if (isset($_POST['add_document_tag'])) {
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_POST['client_id']);
     $tag_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['tag_name'])));
 
@@ -6330,6 +6860,14 @@ if (isset($_POST['add_document_tag'])) {
 }
 
 if (isset($_POST['delete_document_tag'])) {
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $tag_id = intval($_POST['tag_id']);
 
     // Delete the tag ID
@@ -6343,6 +6881,14 @@ if (isset($_POST['delete_document_tag'])) {
 }
 
 if (isset($_POST['rename_document_tag'])) {
+
+    if($session_user_role == 1){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $tag_id = intval($_POST['tag_id']);
     $tag_new_name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['tag_new_name'])));
 
@@ -6760,6 +7306,14 @@ if(isset($_GET['export_client_trips_csv'])){
 }
 
 if(isset($_GET['export_client_pdf'])){
+
+    if($session_user_role != 3){
+      $_SESSION['alert_type'] = "danger";
+      $_SESSION['alert_message'] = "You are not permitted to do that!";
+      header("Location: " . $_SERVER["HTTP_REFERER"]);
+      exit();
+    }
+
     $client_id = intval($_GET['export_client_pdf']);
 
     //get records from database
diff --git a/side_nav.php b/side_nav.php
index 7eaab778..d9eb4677 100644
--- a/side_nav.php
+++ b/side_nav.php
@@ -74,7 +74,7 @@
           </a>
         </li>
         
-        <?php if($session_user_role > 2){ ?>
+        <?php if($session_user_role >= 2){ ?>
 
         <li class="nav-header mt-3">SUPPORT</li>
         <li class="nav-item">
@@ -105,7 +105,7 @@
 
         <?php } ?>
 
-        <?php if($session_user_role == 1 OR $session_user_role > 2){ ?> 
+        <?php if($session_user_role == 1 OR $session_user_role == 3){ ?>
 
         <li class="nav-header mt-3">SALES</li>
         <li class="nav-item">
diff --git a/ticket.php b/ticket.php
index d085e5bd..2fd43c81 100644
--- a/ticket.php
+++ b/ticket.php
@@ -192,8 +192,10 @@ if(isset($_GET['ticket_id'])){
       <div class="dropdown-menu" aria-labelledby="dropdownMenuButton">
         <a class="dropdown-item" href="#" data-toggle="modal" data-target="#editTicketModal<?php echo $ticket_id; ?>">Edit</a>
         <a class="dropdown-item" href="#" data-toggle="modal" data-target="#mergeTicketModal<?php echo $ticket_id; ?>">Merge</a>
-        <div class="dropdown-divider"></div>
-        <a class="dropdown-item text-danger" href="post.php?delete_ticket=<?php echo $ticket_id; ?>">Delete</a>
+        <?php if($session_user_role == 3) { ?>
+          <div class="dropdown-divider"></div>
+          <a class="dropdown-item text-danger" href="post.php?delete_ticket=<?php echo $ticket_id; ?>">Delete</a>
+        <?php } ?>
       </div>
     </div>
   </div>
@@ -325,8 +327,10 @@ if(isset($_GET['ticket_id'])){
             </button>
             <div class="dropdown-menu">
               <a class="dropdown-item" href="#" data-toggle="modal" data-target="#replyEditTicketModal<?php echo $ticket_reply_id; ?>"><i class="fas fa-fw fa-edit text-secondary"></i> Edit</a>
-              <div class="dropdown-divider"></div>
-              <a class="dropdown-item text-danger" href="post.php?archive_ticket_reply=<?php echo $ticket_reply_id; ?>"><i class="fas fa-fw fa-trash text-danger"></i> Archive</a>
+              <?php if($session_user_role == 3) { ?>
+                <div class="dropdown-divider"></div>
+                <a class="dropdown-item text-danger" href="post.php?archive_ticket_reply=<?php echo $ticket_reply_id; ?>"><i class="fas fa-fw fa-trash text-danger"></i> Archive</a>
+              <?php } ?>
             </div>
           </div>
         </div>
diff --git a/tickets.php b/tickets.php
index 58ff9247..a2a2c3f9 100644
--- a/tickets.php
+++ b/tickets.php
@@ -434,9 +434,11 @@ $user_active_assigned_tickets = $row['total_tickets_assigned'];
                                       <div class="dropdown-menu">
                                           <a class="dropdown-item" href="#" data-toggle="modal"
                                              data-target="#editTicketModal<?php echo $ticket_id; ?>">Edit</a>
-                                          <div class="dropdown-divider"></div>
-                                          <a class="dropdown-item text-danger"
-                                             href="post.php?delete_ticket=<?php echo $ticket_id; ?>">Delete</a>
+                                        <?php if($session_user_role == 3) { ?>
+                                            <div class="dropdown-divider"></div>
+                                            <a class="dropdown-item text-danger"
+                                               href="post.php?delete_ticket=<?php echo $ticket_id; ?>">Delete</a>
+                                        <?php } ?>
                                       </div>
                                   </div>
                                 <?php } ?>