From 5f68d7fe5b5827b7ddc74146bce0624e03292318 Mon Sep 17 00:00:00 2001
From: Flatlogic Bot <support@flatlogic.com>
Date: Wed, 5 Nov 2025 22:26:48 +0000
Subject: [PATCH] App creation completed

---
 add-asset.php                                 |  96 +++++------
 add-user.php                                  |  89 +++++-----
 auth-helpers.php                              |  30 ++++
 db/config.php                                 |  43 ++++-
 .../003_create_permissions_table.sql          |  40 +++++
 delete-asset.php                              |   6 +-
 delete-user.php                               |  30 ++--
 edit-asset.php                                |  95 +++++------
 edit-user.php                                 | 153 ++++++++---------
 index.php                                     | 126 +++++---------
 settings.php                                  | 160 ++++++++++++++++++
 templates/sidebar.php                         |  45 +++++
 users.php                                     | 138 +++++++--------
 13 files changed, 621 insertions(+), 430 deletions(-)
 create mode 100644 auth-helpers.php
 create mode 100644 db/migrations/003_create_permissions_table.sql
 create mode 100644 settings.php
 create mode 100644 templates/sidebar.php

diff --git a/add-asset.php b/add-asset.php
index 0e8f787..cdc5e1b 100644
--- a/add-asset.php
+++ b/add-asset.php
@@ -1,27 +1,40 @@
 <?php
-require_once 'auth-check.php';
 require_once 'db/config.php';
+require_once 'auth-check.php';
+require_once 'auth-helpers.php';
+
+if (!can($_SESSION['user_role'], 'asset', 'create')) {
+    header('Location: index.php?error=access_denied');
+    exit;
+}
+
+$allowed_fields_str = can($_SESSION['user_role'], 'asset', 'create');
+$allowed_fields = ($allowed_fields_str === '*') ? ['name', 'asset_tag', 'status', 'location', 'manufacturer', 'model', 'purchase_date'] : explode(',', $allowed_fields_str);
 
 $success_message = '';
 $error_message = '';
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $name = $_POST['name'] ?? '';
-    $asset_tag = $_POST['asset_tag'] ?? '';
-    $status = $_POST['status'] ?? 'In Service';
-    $location = $_POST['location'] ?? '';
-    $manufacturer = $_POST['manufacturer'] ?? '';
-    $model = $_POST['model'] ?? '';
-    $purchase_date = $_POST['purchase_date'] ?? '';
+    $data = [];
+    $placeholders = [];
+    $columns = [];
 
-    if (empty($name) || empty($asset_tag) || empty($purchase_date)) {
-        $error_message = 'Please fill in all required fields: Name, Asset Tag, and Purchase Date.';
+    foreach ($allowed_fields as $field) {
+        if (isset($_POST[$field])) {
+            $data[] = $_POST[$field];
+            $columns[] = $field;
+            $placeholders[] = '?';
+        }
+    }
+
+    if (empty($data)) {
+        $error_message = 'No data submitted.';
     } else {
         try {
             $pdo = db();
-            $sql = "INSERT INTO assets (name, asset_tag, status, location, manufacturer, model, purchase_date) VALUES (?, ?, ?, ?, ?, ?, ?)";
+            $sql = sprintf("INSERT INTO assets (%s) VALUES (%s)", implode(', ', $columns), implode(', ', $placeholders));
             $stmt = $pdo->prepare($sql);
-            $stmt->execute([$name, $asset_tag, $status, $location, $manufacturer, $model, $purchase_date]);
+            $stmt->execute($data);
             
             header("Location: index.php?success=asset_added");
             exit;
@@ -49,48 +62,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 <body>
 
 <div class="wrapper">
-    <nav id="sidebar" class="d-flex flex-column flex-shrink-0 p-3">
-        <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-decoration-none">
-            <span class="fs-4">IC-Inventory</span>
-        </a>
-        <hr>
-        <ul class="nav nav-pills flex-column mb-auto">
-            <li class="nav-item">
-                <a href="index.php" class="nav-link" aria-current="page">
-                    <i data-feather="home" class="me-2"></i>
-                    Dashboard
-                </a>
-            </li>
-            <li>
-                <a href="index.php" class="nav-link active">
-                    <i data-feather="box" class="me-2"></i>
-                    Assets
-                </a>
-            </li>
-            <?php if ($_SESSION['user_role'] === 'Admin'): ?>
-            <li>
-                <a href="users.php" class="nav-link">
-                    <i data-feather="users" class="me-2"></i>
-                    Users
-                </a>
-            </li>
-            <?php endif; ?>
-            <li>
-                <a href="#" class="nav-link">
-                    <i data-feather="settings" class="me-2"></i>
-                    Settings
-                </a>
-            </li>
-        </ul>
-        <hr>
-        <div>
-            <span class="d-flex align-items-center text-decoration-none"><strong><?php echo htmlspecialchars($_SESSION['user_name']); ?></strong></span>
-            <a href="logout.php" class="d-flex align-items-center text-decoration-none">
-                <i data-feather="log-out" class="me-2"></i>
-                <strong>Logout</strong>
-            </a>
-        </div>
-    </nav>
+    <?php require_once 'templates/sidebar.php'; ?>
 
     <main id="content">
         <div class="header">
@@ -107,16 +79,21 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 
             <form action="add-asset.php" method="post">
                 <div class="row">
+                    <?php if (in_array('name', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="name" class="form-label">Asset Name*</label>
                         <input type="text" class="form-control" id="name" name="name" required>
                     </div>
+                    <?php endif; ?>
+                    <?php if (in_array('asset_tag', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="asset_tag" class="form-label">Asset Tag*</label>
                         <input type="text" class="form-control" id="asset_tag" name="asset_tag" required>
                     </div>
+                    <?php endif; ?>
                 </div>
                 <div class="row">
+                    <?php if (in_array('status', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="status" class="form-label">Status</label>
                         <select class="form-select" id="status" name="status">
@@ -125,25 +102,34 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                             <option>Retired</option>
                         </select>
                     </div>
+                    <?php endif; ?>
+                    <?php if (in_array('location', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="location" class="form-label">Location</label>
                         <input type="text" class="form-control" id="location" name="location">
                     </div>
+                    <?php endif; ?>
                 </div>
                 <div class="row">
+                    <?php if (in_array('manufacturer', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="manufacturer" class="form-label">Manufacturer</label>
                         <input type="text" class="form-control" id="manufacturer" name="manufacturer">
                     </div>
+                    <?php endif; ?>
+                    <?php if (in_array('model', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="model" class="form-label">Model</label>
                         <input type="text" class="form-control" id="model" name="model">
                     </div>
+                    <?php endif; ?>
                 </div>
+                <?php if (in_array('purchase_date', $allowed_fields)): ?>
                 <div class="mb-3">
                     <label for="purchase_date" class="form-label">Purchase Date*</label>
                     <input type="date" class="form-control" id="purchase_date" name="purchase_date" required>
                 </div>
+                <?php endif; ?>
                 
                 <button type="submit" class="btn btn-primary">Add Asset</button>
                 <a href="index.php" class="btn btn-secondary">Cancel</a>
@@ -158,4 +144,4 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     feather.replace();
 </script>
 </body>
-</html>
+</html>
\ No newline at end of file
diff --git a/add-user.php b/add-user.php
index 418eea4..d0e1365 100644
--- a/add-user.php
+++ b/add-user.php
@@ -1,10 +1,12 @@
 <?php
+require_once 'db/config.php';
 require_once 'auth-check.php';
-if ($_SESSION['user_role'] !== 'Admin') {
-    header("Location: index.php?error=access_denied");
+require_once 'auth-helpers.php';
+
+if (!can($_SESSION['user_role'], 'user', 'create')) {
+    header('Location: index.php?error=access_denied');
     exit;
 }
-require_once 'db/config.php';
 
 $error_message = '';
 
@@ -23,13 +25,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
             $pdo = db();
             
             // Check if email already exists
-            $stmt = $pdo->prepare("SELECT id FROM users WHERE email = ?");
+            $stmt = $pdo->prepare('SELECT id FROM users WHERE email = ?');
             $stmt->execute([$email]);
             if ($stmt->fetch()) {
-                $error_message = 'Email already exists.';
+                $error_message = 'A user with this email address already exists.';
             } else {
                 $hashed_password = password_hash($password, PASSWORD_DEFAULT);
-                
                 $sql = "INSERT INTO users (name, email, password, role) VALUES (?, ?, ?, ?)";
                 $stmt = $pdo->prepare($sql);
                 $stmt->execute([$name, $email, $hashed_password, $role]);
@@ -49,6 +50,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Add New User - IC-Inventory</title>
+    <meta name="description" content="Add a new user.">
     <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
     <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
     <link rel="preconnect" href="https://fonts.googleapis.com">
@@ -59,33 +61,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 <body>
 
 <div class="wrapper">
-    <nav id="sidebar" class="d-flex flex-column flex-shrink-0 p-3">
-        <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-decoration-none">
-            <span class="fs-4">IC-Inventory</span>
-        </a>
-        <hr>
-        <ul class="nav nav-pills flex-column mb-auto">
-            <li class="nav-item"><a href="index.php" class="nav-link">Dashboard</a></li>
-            <li><a href="index.php" class="nav-link">Assets</a></li>
-            <?php if ($_SESSION['user_role'] === 'Admin'): ?>
-            <li><a href="users.php" class="nav-link active">Users</a></li>
-            <?php endif; ?>
-            <li><a href="#" class="nav-link">Settings</a></li>
-        </ul>
-        <hr>
-        <div>
-            <span class="d-flex align-items-center text-decoration-none"><strong><?php echo htmlspecialchars($_SESSION['user_name']); ?></strong></span>
-            <a href="logout.php" class="d-flex align-items-center text-decoration-none">
-                <i data-feather="log-out" class="me-2"></i>
-                <strong>Logout</strong>
-            </a>
-        </div>
-    </nav>
+    <?php require_once 'templates/sidebar.php'; ?>
 
     <main id="content">
         <div class="header">
             <h1>Add New User</h1>
-            <div class="theme-switcher" id="theme-switcher"><i data-feather="moon"></i></div>
+            <div class="theme-switcher" id="theme-switcher">
+                <i data-feather="moon"></i>
+            </div>
         </div>
 
         <div class="surface p-4">
@@ -94,26 +77,30 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
             <?php endif; ?>
 
             <form action="add-user.php" method="post">
-                <div class="mb-3">
-                    <label for="name" class="form-label">Name*</label>
-                    <input type="text" class="form-control" id="name" name="name" required>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label for="name" class="form-label">Full Name*</label>
+                        <input type="text" class="form-control" id="name" name="name" required>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label for="email" class="form-label">Email Address*</label>
+                        <input type="email" class="form-control" id="email" name="email" required>
+                    </div>
                 </div>
-                <div class="mb-3">
-                    <label for="email" class="form-label">Email*</label>
-                    <input type="email" class="form-control" id="email" name="email" required>
-                </div>
-                <div class="mb-3">
-                    <label for="password" class="form-label">Password*</label>
-                    <input type="password" class="form-control" id="password" name="password" required>
-                </div>
-                <div class="mb-3">
-                    <label for="role" class="form-label">Role</label>
-                    <select class="form-select" id="role" name="role">
-                        <option>Employee</option>
-                        <option>Asset Manager</option>
-                        <option>IT Technician</option>
-                        <option>Admin</option>
-                    </select>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label for="password" class="form-label">Password*</label>
+                        <input type="password" class="form-control" id="password" name="password" required>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label for="role" class="form-label">Role</label>
+                        <select class="form-select" id="role" name="role">
+                            <option>Employee</option>
+                            <option>IT Technician</option>
+                            <option>Asset Manager</option>
+                            <option>Admin</option>
+                        </select>
+                    </div>
                 </div>
                 
                 <button type="submit" class="btn btn-primary">Add User</button>
@@ -125,6 +112,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 
 <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
 <script src="assets/js/main.js?v=<?php echo time(); ?>"></script>
-<script>feather.replace();</script>
+<script>
+    feather.replace();
+</script>
 </body>
-</html>
+</html>
\ No newline at end of file
diff --git a/auth-helpers.php b/auth-helpers.php
new file mode 100644
index 0000000..45e2bd4
--- /dev/null
+++ b/auth-helpers.php
@@ -0,0 +1,30 @@
+<?php
+require_once 'db/config.php';
+
+function can($role, $resource, $action) {
+    static $permissions = null;
+
+    if ($permissions === null) {
+        try {
+            $pdo = db();
+            $stmt = $pdo->query('SELECT * FROM role_permissions');
+            $all_permissions = $stmt->fetchAll(PDO::FETCH_ASSOC);
+            $permissions = [];
+            foreach ($all_permissions as $p) {
+                $permissions[$p['role']][$p['resource']][$p['action']] = $p['fields'] ?? '*';
+            }
+        } catch (PDOException $e) {
+            // Handle database errors, maybe return false or log the error
+            return false;
+        }
+    }
+
+    if (isset($permissions[$role][$resource][$action])) {
+        if (in_array($action, ['read', 'update'])) {
+            return $permissions[$role][$resource][$action];
+        }
+        return true;
+    }
+
+    return false;
+}
diff --git a/db/config.php b/db/config.php
index f12ebaf..2714b40 100644
--- a/db/config.php
+++ b/db/config.php
@@ -6,12 +6,39 @@ define('DB_USER', 'app_31009');
 define('DB_PASS', '2c66b530-2a65-423a-a106-6760b49ad1a2');
 
 function db() {
-  static $pdo;
-  if (!$pdo) {
-    $pdo = new PDO('mysql:host='.DB_HOST.';dbname='.DB_NAME.';charset=utf8mb4', DB_USER, DB_PASS, [
-      PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
-      PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
-    ]);
-  }
-  return $pdo;
+    static $pdo;
+    if ($pdo) {
+        return $pdo;
+    }
+
+    try {
+        $pdo = new PDO('mysql:host='.DB_HOST.';dbname='.DB_NAME.';charset=utf8mb4', DB_USER, DB_PASS, [
+            PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
+            PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+        ]);
+    } catch (PDOException $e) {
+        // If the database doesn't exist, we can't run migrations.
+        // The error will be caught and displayed on the page.
+        throw $e;
+    }
+
+
+    // Migration logic
+    $pdo->exec('CREATE TABLE IF NOT EXISTS migrations (migration VARCHAR(255) PRIMARY KEY)');
+    $ran_migrations = $pdo->query('SELECT migration FROM migrations')->fetchAll(PDO::FETCH_COLUMN);
+
+    $migration_files = glob(__DIR__ . '/migrations/*.sql');
+    sort($migration_files);
+
+    foreach ($migration_files as $file) {
+        $migration_name = basename($file);
+        if (!in_array($migration_name, $ran_migrations)) {
+            $sql = file_get_contents($file);
+            $pdo->exec($sql);
+            $stmt = $pdo->prepare('INSERT INTO migrations (migration) VALUES (?)');
+            $stmt->execute([$migration_name]);
+        }
+    }
+
+    return $pdo;
 }
diff --git a/db/migrations/003_create_permissions_table.sql b/db/migrations/003_create_permissions_table.sql
new file mode 100644
index 0000000..99ec3f2
--- /dev/null
+++ b/db/migrations/003_create_permissions_table.sql
@@ -0,0 +1,40 @@
+CREATE TABLE IF NOT EXISTS `role_permissions` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `role` varchar(255) NOT NULL,
+  `resource` varchar(255) NOT NULL,
+  `action` varchar(255) NOT NULL,
+  `fields` text DEFAULT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `role_resource_action` (`role`,`resource`,`action`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+
+-- Default Permissions
+
+-- Admin: Can do everything
+INSERT INTO `role_permissions` (`role`, `resource`, `action`, `fields`) VALUES
+('Admin', 'asset', 'create', '*'),
+('Admin', 'asset', 'read', '*'),
+('Admin', 'asset', 'update', '*'),
+('Admin', 'asset', 'delete', '*'),
+('Admin', 'user', 'create', '*'),
+('Admin', 'user', 'read', '*'),
+('Admin', 'user', 'update', '*'),
+('Admin', 'user', 'delete', '*');
+
+-- Asset Manager: Can manage assets
+INSERT INTO `role_permissions` (`role`, `resource`, `action`, `fields`) VALUES
+('Asset Manager', 'asset', 'create', '*'),
+('Asset Manager', 'asset', 'read', '*'),
+('Asset Manager', 'asset', 'update', '*'),
+('Asset Manager', 'asset', 'delete', '*');
+
+-- IT Technician: Can manage assets
+INSERT INTO `role_permissions` (`role`, `resource`, `action`, `fields`) VALUES
+('IT Technician', 'asset', 'create', '*'),
+('IT Technician', 'asset', 'read', '*'),
+('IT Technician', 'asset', 'update', '*'),
+('IT Technician', 'asset', 'delete', '*');
+
+-- Employee: Can only read some asset fields
+INSERT INTO `role_permissions` (`role`, `resource`, `action`, `fields`) VALUES
+('Employee', 'asset', 'read', 'name,asset_tag,status,location,manufacturer,model');
diff --git a/delete-asset.php b/delete-asset.php
index eb49404..11fc3d2 100644
--- a/delete-asset.php
+++ b/delete-asset.php
@@ -1,10 +1,6 @@
 <?php
-require_once 'auth-check.php';
-if (!in_array($_SESSION['user_role'], ['Admin', 'Asset Manager', 'IT Technician'])) {
-    header("Location: index.php?error=access_denied");
-    exit;
-}
 require_once 'db/config.php';
+require_once 'auth-check.php';
 
 if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
     header("Location: index.php");
diff --git a/delete-user.php b/delete-user.php
index c1d5a72..397a693 100644
--- a/delete-user.php
+++ b/delete-user.php
@@ -1,34 +1,36 @@
 <?php
-require_once 'auth-check.php';
-if ($_SESSION['user_role'] !== 'Admin') {
-    header("Location: index.php?error=access_denied");
-    exit;
-}
 require_once 'db/config.php';
+require_once 'auth-check.php';
 
-if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
-    header("Location: users.php");
+// Only Admins can access this page
+if ($_SESSION['user_role'] !== 'Admin') {
+    header('Location: index.php?error=access_denied');
     exit;
 }
 
-$user_id = $_GET['id'];
+$user_id = $_GET['id'] ?? null;
 
-// Prevent deleting the default admin user (ID = 1)
-if ($user_id == 1) {
-    header("Location: users.php?error=cannot_delete_admin");
+if (!$user_id) {
+    header('Location: users.php');
+    exit;
+}
+
+// Prevent user from deleting themselves
+if ($user_id == $_SESSION['user_id']) {
+    header('Location: users.php?error=self_delete');
     exit;
 }
 
 try {
     $pdo = db();
-    $stmt = $pdo->prepare("DELETE FROM users WHERE id = ?");
+    $stmt = $pdo->prepare('DELETE FROM users WHERE id = ?');
     $stmt->execute([$user_id]);
 
     header("Location: users.php?success=user_deleted");
     exit;
 
 } catch (PDOException $e) {
+    // In a real app, log this error.
     header("Location: users.php?error=db_error");
     exit;
-}
-?>
+}
\ No newline at end of file
diff --git a/edit-asset.php b/edit-asset.php
index 049744e..3da9aff 100644
--- a/edit-asset.php
+++ b/edit-asset.php
@@ -1,6 +1,15 @@
 <?php
-require_once 'auth-check.php';
 require_once 'db/config.php';
+require_once 'auth-check.php';
+require_once 'auth-helpers.php';
+
+if (!can($_SESSION['user_role'], 'asset', 'update')) {
+    header('Location: index.php?error=access_denied');
+    exit;
+}
+
+$allowed_fields_str = can($_SESSION['user_role'], 'asset', 'update');
+$allowed_fields = ($allowed_fields_str === '*') ? ['name', 'asset_tag', 'status', 'location', 'manufacturer', 'model', 'purchase_date'] : explode(',', $allowed_fields_str);
 
 $success_message = '';
 $error_message = '';
@@ -28,22 +37,25 @@ try {
 }
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $name = $_POST['name'] ?? '';
-    $asset_tag = $_POST['asset_tag'] ?? '';
-    $status = $_POST['status'] ?? 'In Service';
-    $location = $_POST['location'] ?? '';
-    $manufacturer = $_POST['manufacturer'] ?? '';
-    $model = $_POST['model'] ?? '';
-    $purchase_date = $_POST['purchase_date'] ?? '';
+    $data = [];
+    $set_parts = [];
 
-    if (empty($name) || empty($asset_tag) || empty($purchase_date)) {
-        $error_message = 'Please fill in all required fields: Name, Asset Tag, and Purchase Date.';
+    foreach ($allowed_fields as $field) {
+        if (isset($_POST[$field])) {
+            $data[] = $_POST[$field];
+            $set_parts[] = "$field = ?";
+        }
+    }
+    $data[] = $asset_id;
+
+    if (empty($set_parts)) {
+        $error_message = 'No data submitted.';
     } else {
         try {
             $pdo = db();
-            $sql = "UPDATE assets SET name = ?, asset_tag = ?, status = ?, location = ?, manufacturer = ?, model = ?, purchase_date = ? WHERE id = ?";
+            $sql = sprintf("UPDATE assets SET %s WHERE id = ?", implode(', ', $set_parts));
             $stmt = $pdo->prepare($sql);
-            $stmt->execute([$name, $asset_tag, $status, $location, $manufacturer, $model, $purchase_date, $asset_id]);
+            $stmt->execute($data);
             
             header("Location: index.php?success=asset_updated");
             exit;
@@ -71,48 +83,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 <body>
 
 <div class="wrapper">
-    <nav id="sidebar" class="d-flex flex-column flex-shrink-0 p-3">
-        <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-decoration-none">
-            <span class="fs-4">IC-Inventory</span>
-        </a>
-        <hr>
-        <ul class="nav nav-pills flex-column mb-auto">
-            <li class="nav-item">
-                <a href="index.php" class="nav-link" aria-current="page">
-                    <i data-feather="home" class="me-2"></i>
-                    Dashboard
-                </a>
-            </li>
-            <li>
-                <a href="index.php" class="nav-link active">
-                    <i data-feather="box" class="me-2"></i>
-                    Assets
-                </a>
-            </li>
-            <?php if ($_SESSION['user_role'] === 'Admin'): ?>
-            <li>
-                <a href="users.php" class="nav-link">
-                    <i data-feather="users" class="me-2"></i>
-                    Users
-                </a>
-            </li>
-            <?php endif; ?>
-            <li>
-                <a href="#" class="nav-link">
-                    <i data-feather="settings" class="me-2"></i>
-                    Settings
-                </a>
-            </li>
-        </ul>
-        <hr>
-        <div>
-            <span class="d-flex align-items-center text-decoration-none"><strong><?php echo htmlspecialchars($_SESSION['user_name']); ?></strong></span>
-            <a href="logout.php" class="d-flex align-items-center text-decoration-none">
-                <i data-feather="log-out" class="me-2"></i>
-                <strong>Logout</strong>
-            </a>
-        </div>
-    </nav>
+    <?php require_once 'templates/sidebar.php'; ?>
 
     <main id="content">
         <div class="header">
@@ -130,16 +101,21 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
             <?php if ($asset): ?>
             <form action="edit-asset.php?id=<?php echo $asset_id; ?>" method="post">
                 <div class="row">
+                    <?php if (in_array('name', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="name" class="form-label">Asset Name*</label>
                         <input type="text" class="form-control" id="name" name="name" value="<?php echo htmlspecialchars($asset['name']); ?>" required>
                     </div>
+                    <?php endif; ?>
+                    <?php if (in_array('asset_tag', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="asset_tag" class="form-label">Asset Tag*</label>
                         <input type="text" class="form-control" id="asset_tag" name="asset_tag" value="<?php echo htmlspecialchars($asset['asset_tag']); ?>" required>
                     </div>
+                    <?php endif; ?>
                 </div>
                 <div class="row">
+                    <?php if (in_array('status', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="status" class="form-label">Status</label>
                         <select class="form-select" id="status" name="status">
@@ -148,25 +124,34 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                             <option <?php if ($asset['status'] === 'Retired') echo 'selected'; ?>>Retired</option>
                         </select>
                     </div>
+                    <?php endif; ?>
+                    <?php if (in_array('location', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="location" class="form-label">Location</label>
                         <input type="text" class="form-control" id="location" name="location" value="<?php echo htmlspecialchars($asset['location']); ?>">
                     </div>
+                    <?php endif; ?>
                 </div>
                 <div class="row">
+                    <?php if (in_array('manufacturer', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="manufacturer" class="form-label">Manufacturer</label>
                         <input type="text" class="form-control" id="manufacturer" name="manufacturer" value="<?php echo htmlspecialchars($asset['manufacturer']); ?>">
                     </div>
+                    <?php endif; ?>
+                    <?php if (in_array('model', $allowed_fields)): ?>
                     <div class="col-md-6 mb-3">
                         <label for="model" class="form-label">Model</label>
                         <input type="text" class="form-control" id="model" name="model" value="<?php echo htmlspecialchars($asset['model']); ?>">
                     </div>
+                    <?php endif; ?>
                 </div>
+                <?php if (in_array('purchase_date', $allowed_fields)): ?>
                 <div class="mb-3">
                     <label for="purchase_date" class="form-label">Purchase Date*</label>
                     <input type="date" class="form-control" id="purchase_date" name="purchase_date" value="<?php echo htmlspecialchars($asset['purchase_date']); ?>" required>
                 </div>
+                <?php endif; ?>
                 
                 <button type="submit" class="btn btn-primary">Update Asset</button>
                 <a href="index.php" class="btn btn-secondary">Cancel</a>
@@ -182,4 +167,4 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     feather.replace();
 </script>
 </body>
-</html>
+</html>
\ No newline at end of file
diff --git a/edit-user.php b/edit-user.php
index f53d2b4..37c1946 100644
--- a/edit-user.php
+++ b/edit-user.php
@@ -1,29 +1,32 @@
 <?php
+require_once 'db/config.php';
 require_once 'auth-check.php';
-if ($_SESSION['user_role'] !== 'Admin') {
-    header("Location: index.php?error=access_denied");
+require_once 'auth-helpers.php';
+
+if (!can($_SESSION['user_role'], 'user', 'update')) {
+    header('Location: index.php?error=access_denied');
     exit;
 }
-require_once 'db/config.php';
+
+$allowed_fields_str = can($_SESSION['user_role'], 'user', 'update');
+$allowed_fields = ($allowed_fields_str === '*') ? ['name', 'email', 'role'] : explode(',', $allowed_fields_str);
 
 $error_message = '';
-$user = null;
+$user_id = $_GET['id'] ?? null;
 
-if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
-    header("Location: users.php");
+if (!$user_id) {
+    header('Location: users.php');
     exit;
 }
 
-$user_id = $_GET['id'];
-
 try {
     $pdo = db();
-    $stmt = $pdo->prepare("SELECT id, name, email, role FROM users WHERE id = ?");
+    $stmt = $pdo->prepare('SELECT id, name, email, role FROM users WHERE id = ?');
     $stmt->execute([$user_id]);
-    $user = $stmt->fetch(PDO::FETCH_ASSOC);
+    $user = $stmt->fetch();
 
     if (!$user) {
-        header("Location: users.php?error=not_found");
+        header('Location: users.php');
         exit;
     }
 } catch (PDOException $e) {
@@ -31,35 +34,36 @@ try {
 }
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $name = $_POST['name'] ?? '';
-    $email = $_POST['email'] ?? '';
-    $role = $_POST['role'] ?? 'Employee';
-    $password = $_POST['password'] ?? '';
+    $data = [];
+    $set_parts = [];
 
-    if (empty($name) || empty($email)) {
-        $error_message = 'Name and Email are required.';
-    } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
-        $error_message = 'Invalid email format.';
+    foreach ($allowed_fields as $field) {
+        if (isset($_POST[$field])) {
+            $data[] = $_POST[$field];
+            $set_parts[] = "$field = ?";
+        }
+    }
+    $data[] = $user_id;
+
+    if (empty($set_parts)) {
+        $error_message = 'No data submitted.';
     } else {
         try {
             $pdo = db();
-
+            
             // Check if email already exists for another user
-            $stmt = $pdo->prepare("SELECT id FROM users WHERE email = ? AND id != ?");
-            $stmt->execute([$email, $user_id]);
-            if ($stmt->fetch()) {
-                $error_message = 'Email already exists for another user.';
-            } else {
-                if (!empty($password)) {
-                    $hashed_password = password_hash($password, PASSWORD_DEFAULT);
-                    $sql = "UPDATE users SET name = ?, email = ?, role = ?, password = ? WHERE id = ?";
-                    $stmt = $pdo->prepare($sql);
-                    $stmt->execute([$name, $email, $role, $hashed_password, $user_id]);
-                } else {
-                    $sql = "UPDATE users SET name = ?, email = ?, role = ? WHERE id = ?";
-                    $stmt = $pdo->prepare($sql);
-                    $stmt->execute([$name, $email, $role, $user_id]);
+            if (in_array('email', $allowed_fields)) {
+                $stmt = $pdo->prepare('SELECT id FROM users WHERE email = ? AND id != ?');
+                $stmt->execute([$_POST['email'], $user_id]);
+                if ($stmt->fetch()) {
+                    $error_message = 'A user with this email address already exists.';
                 }
+            }
+
+            if (!$error_message) {
+                $sql = sprintf("UPDATE users SET %s WHERE id = ?", implode(', ', $set_parts));
+                $stmt = $pdo->prepare($sql);
+                $stmt->execute($data);
                 
                 header("Location: users.php?success=user_updated");
                 exit;
@@ -76,6 +80,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Edit User - IC-Inventory</title>
+    <meta name="description" content="Edit an existing user.">
     <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
     <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
     <link rel="preconnect" href="https://fonts.googleapis.com">
@@ -86,33 +91,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 <body>
 
 <div class="wrapper">
-    <nav id="sidebar" class="d-flex flex-column flex-shrink-0 p-3">
-        <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-decoration-none">
-            <span class="fs-4">IC-Inventory</span>
-        </a>
-        <hr>
-        <ul class="nav nav-pills flex-column mb-auto">
-            <li class="nav-item"><a href="index.php" class="nav-link">Dashboard</a></li>
-            <li><a href="index.php" class="nav-link">Assets</a></li>
-            <?php if ($_SESSION['user_role'] === 'Admin'): ?>
-            <li><a href="users.php" class="nav-link active">Users</a></li>
-            <?php endif; ?>
-            <li><a href="#" class="nav-link">Settings</a></li>
-        </ul>
-        <hr>
-        <div>
-            <span class="d-flex align-items-center text-decoration-none"><strong><?php echo htmlspecialchars($_SESSION['user_name']); ?></strong></span>
-            <a href="logout.php" class="d-flex align-items-center text-decoration-none">
-                <i data-feather="log-out" class="me-2"></i>
-                <strong>Logout</strong>
-            </a>
-        </div>
-    </nav>
+    <?php require_once 'templates/sidebar.php'; ?>
 
     <main id="content">
         <div class="header">
             <h1>Edit User</h1>
-            <div class="theme-switcher" id="theme-switcher"><i data-feather="moon"></i></div>
+            <div class="theme-switcher" id="theme-switcher">
+                <i data-feather="moon"></i>
+            </div>
         </div>
 
         <div class="surface p-4">
@@ -121,28 +107,33 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
             <?php endif; ?>
 
             <?php if ($user): ?>
-            <form action="edit-user.php?id=<?php echo $user_id; ?>" method="post">
-                <div class="mb-3">
-                    <label for="name" class="form-label">Name*</label>
-                    <input type="text" class="form-control" id="name" name="name" value="<?php echo htmlspecialchars($user['name']); ?>" required>
+            <form action="edit-user.php?id=<?php echo $user['id']; ?>" method="post">
+                <div class="row">
+                    <?php if (in_array('name', $allowed_fields)): ?>
+                    <div class="col-md-6 mb-3">
+                        <label for="name" class="form-label">Full Name*</label>
+                        <input type="text" class="form-control" id="name" name="name" value="<?php echo htmlspecialchars($user['name']); ?>" required>
+                    </div>
+                    <?php endif; ?>
+                    <?php if (in_array('email', $allowed_fields)): ?>
+                    <div class="col-md-6 mb-3">
+                        <label for="email" class="form-label">Email Address*</label>
+                        <input type="email" class="form-control" id="email" name="email" value="<?php echo htmlspecialchars($user['email']); ?>" required>
+                    </div>
+                    <?php endif; ?>
                 </div>
-                <div class="mb-3">
-                    <label for="email" class="form-label">Email*</label>
-                    <input type="email" class="form-control" id="email" name="email" value="<?php echo htmlspecialchars($user['email']); ?>" required>
-                </div>
-                <div class="mb-3">
-                    <label for="password" class="form-label">New Password</label>
-                    <input type="password" class="form-control" id="password" name="password">
-                    <div class="form-text">Leave blank to keep the current password.</div>
-                </div>
-                <div class="mb-3">
-                    <label for="role" class="form-label">Role</label>
-                    <select class="form-select" id="role" name="role">
-                        <option <?php if ($user['role'] === 'Employee') echo 'selected'; ?>>Employee</option>
-                        <option <?php if ($user['role'] === 'Asset Manager') echo 'selected'; ?>>Asset Manager</option>
-                        <option <?php if ($user['role'] === 'IT Technician') echo 'selected'; ?>>IT Technician</option>
-                        <option <?php if ($user['role'] === 'Admin') echo 'selected'; ?>>Admin</option>
-                    </select>
+                <div class="row">
+                    <?php if (in_array('role', $allowed_fields)): ?>
+                    <div class="col-md-6 mb-3">
+                        <label for="role" class="form-label">Role</label>
+                        <select class="form-select" id="role" name="role">
+                            <option <?php echo ($user['role'] === 'Employee') ? 'selected' : ''; ?>>Employee</option>
+                            <option <?php echo ($user['role'] === 'IT Technician') ? 'selected' : ''; ?>>IT Technician</option>
+                            <option <?php echo ($user['role'] === 'Asset Manager') ? 'selected' : ''; ?>>Asset Manager</option>
+                            <option <?php echo ($user['role'] === 'Admin') ? 'selected' : ''; ?>>Admin</option>
+                        </select>
+                    </div>
+                    <?php endif; ?>
                 </div>
                 
                 <button type="submit" class="btn btn-primary">Update User</button>
@@ -155,6 +146,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 
 <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
 <script src="assets/js/main.js?v=<?php echo time(); ?>"></script>
-<script>feather.replace();</script>
+<script>
+    feather.replace();
+</script>
 </body>
-</html>
+</html>
\ No newline at end of file
diff --git a/index.php b/index.php
index 3780a84..d43345b 100644
--- a/index.php
+++ b/index.php
@@ -1,28 +1,34 @@
 <?php
-require_once 'auth-check.php';
 require_once 'db/config.php';
+require_once 'auth-check.php';
+require_once 'auth-helpers.php';
+
+// Get allowed fields for the current user
+$allowed_fields_str = can($_SESSION['user_role'], 'asset', 'read');
+$allowed_fields = $allowed_fields_str ? explode(',', $allowed_fields_str) : [];
 
 // Function to execute query and return results
-function get_assets() {
+function get_assets($fields) {
+    if (empty($fields)) {
+        return []; // No read permission
+    }
+    // Always include id for edit/delete links
+    if (!in_array('id', $fields)) {
+        $fields[] = 'id';
+    }
+    
+    $select_fields = implode(', ', $fields);
+
     try {
         $pdo = db();
-        // Check if table exists, if not, run migration
-        $result = $pdo->query("SHOW TABLES LIKE 'assets'");
-        if ($result->rowCount() == 0) {
-            $sql = file_get_contents('db/migrations/001_create_assets_table.sql');
-            $pdo->exec($sql);
-        }
-
-        $stmt = $pdo->query('SELECT * FROM assets ORDER BY created_at DESC');
+        $stmt = $pdo->query("SELECT $select_fields FROM assets ORDER BY created_at DESC");
         return $stmt->fetchAll(PDO::FETCH_ASSOC);
     } catch (PDOException $e) {
-        // In a real app, you'd log this error and show a user-friendly message.
-        // For this initial setup, we'll just display the error.
         return ['error' => 'Database error: ' . $e->getMessage()];
     }
 }
 
-$assets = get_assets();
+$assets = get_assets($allowed_fields);
 
 function getStatusClass($status) {
     switch (strtolower($status)) {
@@ -44,13 +50,6 @@ function getStatusClass($status) {
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>IC-Inventory</title>
     <meta name="description" content="Built with Flatlogic Generator">
-    <meta name="keywords" content="asset management, inventory control, company assets, IT inventory, asset tracking, equipment management, Built with Flatlogic Generator">
-    <meta property="og:title" content="IC-Inventory">
-    <meta property="og:description" content="Built with Flatlogic Generator">
-    <meta property="og:image" content="">
-    <meta name="twitter:card" content="summary_large_image">
-    <meta name="twitter:image" content="">
-
     <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
     <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
     <link rel="preconnect" href="https://fonts.googleapis.com">
@@ -61,54 +60,15 @@ function getStatusClass($status) {
 <body>
 
 <div class="wrapper">
-    <nav id="sidebar" class="d-flex flex-column flex-shrink-0 p-3">
-        <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-decoration-none">
-            <span class="fs-4">IC-Inventory</span>
-        </a>
-        <hr>
-        <ul class="nav nav-pills flex-column mb-auto">
-            <li class="nav-item">
-                <a href="#" class="nav-link active" aria-current="page">
-                    <i data-feather="home" class="me-2"></i>
-                    Dashboard
-                </a>
-            </li>
-            <li>
-                <a href="#" class="nav-link">
-                    <i data-feather="box" class="me-2"></i>
-                    Assets
-                </a>
-            </li>
-            <?php if ($_SESSION['user_role'] === 'Admin'): ?>
-            <li>
-                <a href="users.php" class="nav-link">
-                    <i data-feather="users" class="me-2"></i>
-                    Users
-                </a>
-            </li>
-            <?php endif; ?>
-            <li>
-                <a href="#" class="nav-link">
-                    <i data-feather="settings" class="me-2"></i>
-                    Settings
-                </a>
-            </li>
-        </ul>
-        <hr>
-        <div>
-            <span class="d-flex align-items-center text-decoration-none"><strong><?php echo htmlspecialchars($_SESSION['user_name']); ?></strong></span>
-            <a href="logout.php" class="d-flex align-items-center text-decoration-none">
-                <i data-feather="log-out" class="me-2"></i>
-                <strong>Logout</strong>
-            </a>
-        </div>
-    </nav>
+    <?php require_once 'templates/sidebar.php'; ?>
 
     <main id="content">
         <div class="header">
             <h1>Asset Dashboard</h1>
             <div>
-                <a href="add-asset.php" class="btn btn-primary">Add New Asset</a>
+                <?php if (can($_SESSION['user_role'], 'asset', 'create')): ?>
+                    <a href="add-asset.php" class="btn btn-primary">Add New Asset</a>
+                <?php endif; ?>
                 <div class="theme-switcher" id="theme-switcher">
                     <i data-feather="moon"></i>
                 </div>
@@ -133,38 +93,40 @@ function getStatusClass($status) {
             <?php elseif (empty($assets)): ?>
                 <div class="text-center p-5">
                     <h4>No assets found.</h4>
-                    <p>Get started by adding your first company asset.</p>
-                    <a href="add-asset.php" class="btn btn-primary">Add Asset</a>
+                    <?php if (can($_SESSION['user_role'], 'asset', 'create'])): ?>
+                        <p>Get started by adding your first company asset.</p>
+                        <a href="add-asset.php" class="btn btn-primary">Add Asset</a>
+                    <?php endif; ?>
                 </div>
             <?php else: ?>
                 <div class="table-responsive">
                     <table class="table asset-table">
                         <thead>
                             <tr>
-                                <th>Name</th>
-                                <th>Asset Tag</th>
-                                <th>Status</th>
-                                <th>Location</th>
-                                <th>Manufacturer</th>
-                                <th>Model</th>
-                                <th>Purchase Date</th>
+                                <?php foreach ($allowed_fields as $field): if($field === 'id') continue; ?>
+                                    <th><?php echo ucfirst(str_replace('_', ' ', $field)); ?></th>
+                                <?php endforeach; ?>
                                 <th>Actions</th>
                             </tr>
                         </thead>
                         <tbody>
                             <?php foreach ($assets as $asset): ?>
                                 <tr>
-                                    <td><?php echo htmlspecialchars($asset['name']); ?></td>
-                                    <td><?php echo htmlspecialchars($asset['asset_tag']); ?></td>
-                                    <td><span class="status <?php echo getStatusClass($asset['status']); ?>"><?php echo htmlspecialchars($asset['status']); ?></span></td>
-                                    <td><?php echo htmlspecialchars($asset['location']); ?></td>
-                                    <td><?php echo htmlspecialchars($asset['manufacturer']); ?></td>
-                                    <td><?php echo htmlspecialchars($asset['model']); ?></td>
-                                    <td><?php echo htmlspecialchars($asset['purchase_date']); ?></td>
+                                    <?php foreach ($allowed_fields as $field): if($field === 'id') continue; ?>
+                                        <td>
+                                            <?php if ($field === 'status'): ?>
+                                                <span class="status <?php echo getStatusClass($asset[$field]); ?>"><?php echo htmlspecialchars($asset[$field]); ?></span>
+                                            <?php else: ?>
+                                                <?php echo htmlspecialchars($asset[$field]); ?>
+                                            <?php endif; ?>
+                                        </td>
+                                    <?php endforeach; ?>
                                     <td>
-                                        <a href="edit-asset.php?id=<?php echo $asset['id']; ?>" class="btn btn-sm btn-outline-primary">Edit</a>
-                                        <?php if (in_array($_SESSION['user_role'], ['Admin', 'Asset Manager', 'IT Technician'])): ?>
-                                        <a href="delete-asset.php?id=<?php echo $asset['id']; ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure you want to delete this asset?');">Delete</a>
+                                        <?php if (can($_SESSION['user_role'], 'asset', 'update')): ?>
+                                            <a href="edit-asset.php?id=<?php echo $asset['id']; ?>" class="btn btn-sm btn-outline-primary">Edit</a>
+                                        <?php endif; ?>
+                                        <?php if (can($_SESSION['user_role'], 'asset', 'delete'])): ?>
+                                            <a href="delete-asset.php?id=<?php echo $asset['id']; ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure you want to delete this asset?');">Delete</a>
                                         <?php endif; ?>
                                     </td>
                                 </tr>
diff --git a/settings.php b/settings.php
new file mode 100644
index 0000000..48ac6ab
--- /dev/null
+++ b/settings.php
@@ -0,0 +1,160 @@
+<?php
+require_once 'db/config.php';
+require_once 'auth-check.php';
+
+// Only Admins can access this page
+if ($_SESSION['user_role'] !== 'Admin') {
+    header('Location: index.php?error=access_denied');
+    exit;
+}
+
+$success_message = '';
+$error_message = '';
+
+$roles = ['Admin', 'Asset Manager', 'IT Technician', 'Employee'];
+$resources = ['asset', 'user'];
+$actions = ['create', 'read', 'update', 'delete'];
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    try {
+        $pdo = db();
+        $pdo->beginTransaction();
+
+        // Clear existing permissions
+        $pdo->exec('TRUNCATE TABLE role_permissions');
+
+        $stmt = $pdo->prepare('INSERT INTO role_permissions (role, resource, action, fields) VALUES (?, ?, ?, ?)');
+
+        $permissions = $_POST['permissions'] ?? [];
+
+        foreach ($roles as $role) {
+            foreach ($resources as $resource) {
+                foreach ($actions as $action) {
+                    if (!empty($permissions[$role][$resource][$action]['enabled'])) {
+                        $fields = $permissions[$role][$resource][$action]['fields'] ?? null;
+                        if (in_array($action, ['read', 'update']) && empty($fields)) {
+                            $fields = '*'; // Default to all fields if not specified
+                        }
+                        $stmt->execute([$role, $resource, $action, $fields]);
+                    }
+                }
+            }
+        }
+
+        $pdo->commit();
+        $success_message = 'Permissions updated successfully!';
+
+    } catch (PDOException $e) {
+        if ($pdo->inTransaction()) {
+            $pdo->rollBack();
+        }
+        $error_message = 'Database error: ' . $e->getMessage();
+    }
+}
+
+
+function get_permissions() {
+    try {
+        $pdo = db();
+        $stmt = $pdo->query('SELECT * FROM role_permissions ORDER BY role, resource, action');
+        return $stmt->fetchAll(PDO::FETCH_ASSOC);
+    } catch (PDOException $e) {
+        return ['error' => 'Database error: ' . $e->getMessage()];
+    }
+}
+
+$permissions_from_db = get_permissions();
+
+// Group permissions by role and resource for easier display
+$grouped_permissions = [];
+foreach ($permissions_from_db as $p) {
+    $grouped_permissions[$p['role']][$p['resource']][$p['action']] = $p['fields'];
+}
+
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Settings - Role Permissions - IC-Inventory</title>
+    <meta name="description" content="Manage role permissions.">
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
+    <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap" rel="stylesheet">
+    <script src="https://unpkg.com/feather-icons"></script>
+</head>
+<body>
+
+<div class="wrapper">
+    <?php require_once 'templates/sidebar.php'; ?>
+
+    <main id="content">
+        <div class="header">
+            <h1>Settings - Role Permissions</h1>
+            <div class="theme-switcher" id="theme-switcher">
+                <i data-feather="moon"></i>
+            </div>
+        </div>
+
+        <div class="surface p-4">
+            <?php if ($success_message): ?>
+                <div class="alert alert-success"><?php echo htmlspecialchars($success_message); ?></div>
+            <?php endif; ?>
+            <?php if ($error_message): ?>
+                <div class="alert alert-danger"><?php echo htmlspecialchars($error_message); ?></div>
+            <?php endif; ?>
+
+            <form action="settings.php" method="post">
+                <div class="table-responsive">
+                    <table class="table table-bordered permission-table">
+                        <thead>
+                            <tr>
+                                <th>Role</th>
+                                <th>Resource</th>
+                                <th>Create</th>
+                                <th>Read (Fields)</th>
+                                <th>Update (Fields)</th>
+                                <th>Delete</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            <?php foreach ($roles as $role): ?>
+                                <?php foreach ($resources as $resource_idx => $resource): ?>
+                                    <tr>
+                                        <?php if ($resource_idx === 0): ?>
+                                            <td rowspan="<?php echo count($resources); ?>" class="align-middle"><strong><?php echo $role; ?></strong></td>
+                                        <?php endif; ?>
+                                        <td class="align-middle"><?php echo ucfirst($resource); ?></td>
+                                        
+                                        <?php foreach ($actions as $action): ?>
+                                        <td class="align-middle">
+                                            <div class="form-check">
+                                                <input class="form-check-input" type="checkbox" name="permissions[<?php echo $role; ?>][<?php echo $resource; ?>][<?php echo $action; ?>][enabled]" value="1" <?php echo isset($grouped_permissions[$role][$resource][$action]) ? 'checked' : ''; ?>>
+                                            </div>
+                                            <?php if (in_array($action, ['read', 'update'])): ?>
+                                                <input type="text" class="form-control form-control-sm mt-1" name="permissions[<?php echo $role; ?>][<?php echo $resource; ?>][<?php echo $action; ?>][fields]" placeholder="* for all" value="<?php echo htmlspecialchars($grouped_permissions[$role][$resource][$action] ?? ''); ?>">
+                                            <?php endif; ?>
+                                        </td>
+                                        <?php endforeach; ?>
+                                    </tr>
+                                <?php endforeach; ?>
+                            <?php endforeach; ?>
+                        </tbody>
+                    </table>
+                </div>
+                <button type="submit" class="btn btn-primary">Save Changes</button>
+            </form>
+        </div>
+    </main>
+</div>
+
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
+<script src="assets/js/main.js?v=<?php echo time(); ?>"></script>
+<script>
+    feather.replace();
+</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/templates/sidebar.php b/templates/sidebar.php
new file mode 100644
index 0000000..acc665e
--- /dev/null
+++ b/templates/sidebar.php
@@ -0,0 +1,45 @@
+<?php
+$current_page = basename($_SERVER['PHP_SELF']);
+?>
+<nav id="sidebar" class="d-flex flex-column flex-shrink-0 p-3">
+    <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-decoration-none">
+        <span class="fs-4">IC-Inventory</span>
+    </a>
+    <hr>
+    <ul class="nav nav-pills flex-column mb-auto">
+        <li class="nav-item">
+            <a href="index.php" class="nav-link <?php echo ($current_page === 'index.php') ? 'active' : ''; ?>" aria-current="page">
+                <i data-feather="home" class="me-2"></i>
+                Dashboard
+            </a>
+        </li>
+        <li>
+            <a href="index.php" class="nav-link <?php echo ($current_page === 'add-asset.php' || $current_page === 'edit-asset.php') ? 'active' : ''; ?>">
+                <i data-feather="box" class="me-2"></i>
+                Assets
+            </a>
+        </li>
+        <?php if ($_SESSION['user_role'] === 'Admin'): ?>
+        <li>
+            <a href="users.php" class="nav-link <?php echo ($current_page === 'users.php' || $current_page === 'add-user.php' || $current_page === 'edit-user.php') ? 'active' : ''; ?>">
+                <i data-feather="users" class="me-2"></i>
+                Users
+            </a>
+        </li>
+        <li>
+            <a href="settings.php" class="nav-link <?php echo ($current_page === 'settings.php') ? 'active' : ''; ?>">
+                <i data-feather="settings" class="me-2"></i>
+                Settings
+            </a>
+        </li>
+        <?php endif; ?>
+    </ul>
+    <hr>
+    <div>
+        <span class="d-flex align-items-center text-decoration-none"><strong><?php echo htmlspecialchars($_SESSION['user_name']); ?></strong></span>
+        <a href="logout.php" class="d-flex align-items-center text-decoration-none">
+            <i data-feather="log-out" class="me-2"></i>
+            <strong>Logout</strong>
+        </a>
+    </div>
+</nav>
\ No newline at end of file
diff --git a/users.php b/users.php
index 1162c03..1dc0d4b 100644
--- a/users.php
+++ b/users.php
@@ -1,30 +1,40 @@
 <?php
+require_once 'db/config.php';
 require_once 'auth-check.php';
-if ($_SESSION['user_role'] !== 'Admin') {
-    header("Location: index.php?error=access_denied");
+require_once 'auth-helpers.php';
+
+// Only Admins can access this page
+if (!can($_SESSION['user_role'], 'user', 'read')) {
+    header('Location: index.php?error=access_denied');
     exit;
 }
-require_once 'db/config.php';
 
-// Function to execute query and return results
-function get_users() {
+// Get allowed fields for the current user
+$allowed_fields_str = can($_SESSION['user_role'], 'user', 'read');
+$allowed_fields = $allowed_fields_str ? explode(',', $allowed_fields_str) : [];
+
+function get_users($fields) {
+    if (empty($fields)) {
+        return []; // No read permission
+    }
+    // Always include id for edit/delete links
+    if (!in_array('id', $fields)) {
+        $fields[] = 'id';
+    }
+    
+    $select_fields = implode(', ', $fields);
+
     try {
         $pdo = db();
-        // Check if table exists, if not, run migration
-        $result = $pdo->query("SHOW TABLES LIKE 'users'");
-        if ($result->rowCount() == 0) {
-            $sql = file_get_contents('db/migrations/002_create_users_table.sql');
-            $pdo->exec($sql);
-        }
-
-        $stmt = $pdo->query('SELECT id, name, email, role, created_at FROM users ORDER BY created_at DESC');
+        $stmt = $pdo->query("SELECT $select_fields FROM users ORDER BY created_at DESC");
         return $stmt->fetchAll(PDO::FETCH_ASSOC);
     } catch (PDOException $e) {
         return ['error' => 'Database error: ' . $e->getMessage()];
     }
 }
 
-$users = get_users();
+$users = get_users($allowed_fields);
+
 ?>
 <!DOCTYPE html>
 <html lang="en">
@@ -32,7 +42,7 @@ $users = get_users();
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>User Management - IC-Inventory</title>
-    <meta name="description" content="Manage users of the IC-Inventory system.">
+    <meta name="description" content="User management for IC-Inventory.">
     <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
     <link rel="stylesheet" href="assets/css/custom.css?v=<?php echo time(); ?>">
     <link rel="preconnect" href="https://fonts.googleapis.com">
@@ -43,70 +53,32 @@ $users = get_users();
 <body>
 
 <div class="wrapper">
-    <nav id="sidebar" class="d-flex flex-column flex-shrink-0 p-3">
-        <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto text-decoration-none">
-            <span class="fs-4">IC-Inventory</span>
-        </a>
-        <hr>
-        <ul class="nav nav-pills flex-column mb-auto">
-            <li class="nav-item">
-                <a href="index.php" class="nav-link" aria-current="page">
-                    <i data-feather="home" class="me-2"></i>
-                    Dashboard
-                </a>
-            </li>
-            <li>
-                <a href="index.php" class="nav-link">
-                    <i data-feather="box" class="me-2"></i>
-                    Assets
-                </a>
-            </li>
-            <?php if ($_SESSION['user_role'] === 'Admin'): ?>
-            <li>
-                <a href="users.php" class="nav-link active">
-                    <i data-feather="users" class="me-2"></i>
-                    Users
-                </a>
-            </li>
-            <?php endif; ?>
-            <li>
-                <a href="#" class="nav-link">
-                    <i data-feather="settings" class="me-2"></i>
-                    Settings
-                </a>
-            </li>
-        </ul>
-        <hr>
-        <div>
-            <span class="d-flex align-items-center text-decoration-none"><strong><?php echo htmlspecialchars($_SESSION['user_name']); ?></strong></span>
-            <a href="logout.php" class="d-flex align-items-center text-decoration-none">
-                <i data-feather="log-out" class="me-2"></i>
-                <strong>Logout</strong>
-            </a>
-        </div>
-    </nav>
+    <?php require_once 'templates/sidebar.php'; ?>
 
     <main id="content">
         <div class="header">
             <h1>User Management</h1>
             <div>
-                <a href="add-user.php" class="btn btn-primary">Add New User</a>
+                <?php if (can($_SESSION['user_role'], 'user', 'create')): ?>
+                    <a href="add-user.php" class="btn btn-primary">Add New User</a>
+                <?php endif; ?>
                 <div class="theme-switcher" id="theme-switcher">
                     <i data-feather="moon"></i>
                 </div>
             </div>
         </div>
 
+        <?php if (isset($_GET['success']) && $_GET['success'] === 'user_added'): ?>
+            <div class="alert alert-success">User successfully added!</div>
+        <?php elseif (isset($_GET['success']) && $_GET['success'] === 'user_updated'): ?>
+            <div class="alert alert-success">User successfully updated!</div>
+        <?php elseif (isset($_GET['success']) && $_GET['success'] === 'user_deleted'): ?>
+            <div class="alert alert-success">User successfully deleted!</div>
+        <?php elseif (isset($_GET['error']) && $_GET['error'] === 'self_delete'): ?>
+            <div class="alert alert-danger">You cannot delete your own account.</div>
+        <?php endif; ?>
+
         <div class="surface p-4">
-            <?php if (isset($_GET['success']) && $_GET['success'] === 'user_added'): ?>
-                <div class="alert alert-success">User successfully added!</div>
-            <?php elseif (isset($_GET['success']) && $_GET['success'] === 'user_updated'): ?>
-                <div class="alert alert-success">User successfully updated!</div>
-            <?php elseif (isset($_GET['success']) && $_GET['success'] === 'user_deleted'): ?>
-                <div class="alert alert-success">User successfully deleted!</div>
-            <?php elseif (isset($_GET['error']) && $_GET['error'] === 'cannot_delete_admin'): ?>
-                <div class="alert alert-danger">The default admin user cannot be deleted.</div>
-            <?php endif; ?>
             <?php if (isset($users['error'])): ?>
                 <div class="alert alert-danger">
                     <?php echo htmlspecialchars($users['error']); ?>
@@ -114,31 +86,35 @@ $users = get_users();
             <?php elseif (empty($users)): ?>
                 <div class="text-center p-5">
                     <h4>No users found.</h4>
-                    <p>Get started by adding your first user.</p>
-                    <a href="add-user.php" class="btn btn-primary">Add User</a>
+                    <?php if (can($_SESSION['user_role'], 'user', 'create'])): ?>
+                        <p>Get started by adding your first user.</p>
+                        <a href="add-user.php" class="btn btn-primary">Add User</a>
+                    <?php endif; ?>
                 </div>
             <?php else: ?>
                 <div class="table-responsive">
-                    <table class="table user-table">
+                    <table class="table">
                         <thead>
                             <tr>
-                                <th>Name</th>
-                                <th>Email</th>
-                                <th>Role</th>
-                                <th>Created At</th>
+                                <?php foreach ($allowed_fields as $field): if($field === 'id') continue; ?>
+                                    <th><?php echo ucfirst(str_replace('_', ' ', $field)); ?></th>
+                                <?php endforeach; ?>
                                 <th>Actions</th>
                             </tr>
                         </thead>
                         <tbody>
                             <?php foreach ($users as $user): ?>
                                 <tr>
-                                    <td><?php echo htmlspecialchars($user['name']); ?></td>
-                                    <td><?php echo htmlspecialchars($user['email']); ?></td>
-                                    <td><?php echo htmlspecialchars($user['role']); ?></td>
-                                    <td><?php echo htmlspecialchars($user['created_at']); ?></td>
+                                    <?php foreach ($allowed_fields as $field): if($field === 'id') continue; ?>
+                                        <td><?php echo htmlspecialchars($user[$field]); ?></td>
+                                    <?php endforeach; ?>
                                     <td>
-                                        <a href="edit-user.php?id=<?php echo $user['id']; ?>" class="btn btn-sm btn-outline-primary">Edit</a>
-                                        <a href="delete-user.php?id=<?php echo $user['id']; ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure you want to delete this user?');">Delete</a>
+                                        <?php if (can($_SESSION['user_role'], 'user', 'update')): ?>
+                                            <a href="edit-user.php?id=<?php echo $user['id']; ?>" class="btn btn-sm btn-outline-primary">Edit</a>
+                                        <?php endif; ?>
+                                        <?php if (can($_SESSION['user_role'], 'user', 'delete'])): ?>
+                                            <a href="delete-user.php?id=<?php echo $user['id']; ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure you want to delete this user?');">Delete</a>
+                                        <?php endif; ?>
                                     </td>
                                 </tr>
                             <?php endforeach; ?>
@@ -156,4 +132,4 @@ $users = get_users();
     feather.replace();
 </script>
 </body>
-</html>
+</html>
\ No newline at end of file