diff --git a/admin/ads.php b/admin/ads.php
index d85cd67..c4dcbb4 100644
--- a/admin/ads.php
+++ b/admin/ads.php
@@ -4,6 +4,8 @@ require_permission("ads_view");
 require_once __DIR__ . '/../db/config.php';
 $pdo = db();
 
+$message = '';
+
 // Ensure the table exists (idempotent)
 $pdo->exec("CREATE TABLE IF NOT EXISTS ads_images (
     id INT AUTO_INCREMENT PRIMARY KEY,
@@ -16,23 +18,27 @@ $pdo->exec("CREATE TABLE IF NOT EXISTS ads_images (
 )");
 
 if (isset($_GET['delete'])) {
-    $id = $_GET['delete'];
-    
-    // Get image path to delete file
-    $stmt = $pdo->prepare("SELECT image_path FROM ads_images WHERE id = ?");
-    $stmt->execute([$id]);
-    $ad = $stmt->fetch();
-    
-    if ($ad) {
-        $fullPath = __DIR__ . '/../' . $ad['image_path'];
-        if (file_exists($fullPath) && is_file($fullPath)) {
-            unlink($fullPath);
+    if (!has_permission('ads_del')) {
+        $message = '<div class="alert alert-danger border-0 shadow-sm rounded-3">Access Denied: You do not have permission to delete advertisements.</div>';
+    } else {
+        $id = $_GET['delete'];
+        
+        // Get image path to delete file
+        $stmt = $pdo->prepare("SELECT image_path FROM ads_images WHERE id = ?");
+        $stmt->execute([$id]);
+        $ad = $stmt->fetch();
+        
+        if ($ad) {
+            $fullPath = __DIR__ . '/../' . $ad['image_path'];
+            if (file_exists($fullPath) && is_file($fullPath)) {
+                unlink($fullPath);
+            }
+            $pdo->prepare("DELETE FROM ads_images WHERE id = ?")->execute([$id]);
         }
-        $pdo->prepare("DELETE FROM ads_images WHERE id = ?")->execute([$id]);
+        
+        header("Location: ads.php");
+        exit;
     }
-    
-    header("Location: ads.php");
-    exit;
 }
 
 $query = "SELECT * FROM ads_images ORDER BY sort_order ASC, created_at DESC";
@@ -47,11 +53,15 @@ include 'includes/header.php';
         <h2 class="fw-bold mb-0">Advertisement Slider</h2>
         <p class="text-muted mb-0">Manage pictures for the public ads display page.</p>
     </div>
+    <?php if (has_permission('ads_add')): ?>
     <a href="ad_edit.php" class="btn btn-primary">
         <i class="bi bi-plus-lg"></i> Add Image
     </a>
+    <?php endif; ?>
 </div>
 
+<?= $message ?>
+
 <div class="alert alert-info border-0 shadow-sm d-flex align-items-center">
     <i class="bi bi-info-circle-fill me-3 fs-4"></i>
     <div>
@@ -113,8 +123,13 @@ include 'includes/header.php';
                             <?php endif; ?>
                         </td>
                         <td class="text-end pe-4">
+                            <?php if (has_permission('ads_add')): ?>
                             <a href="ad_edit.php?id=<?= $ad['id'] ?>" class="btn btn-sm btn-outline-primary me-1"><i class="bi bi-pencil"></i></a>
+                            <?php endif; ?>
+                            
+                            <?php if (has_permission('ads_del')): ?>
                             <a href="?delete=<?= $ad['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure you want to delete this image?')"><i class="bi bi-trash"></i></a>
+                            <?php endif; ?>
                         </td>
                     </tr>
                     <?php endforeach; ?>
diff --git a/admin/areas.php b/admin/areas.php
index 725a687..76cd92c 100644
--- a/admin/areas.php
+++ b/admin/areas.php
@@ -4,17 +4,27 @@ require_permission("areas_view");
 require_once __DIR__ . '/../db/config.php';
 $pdo = db();
 
+$message = '';
+
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'add_area') {
-    $stmt = $pdo->prepare("INSERT INTO areas (outlet_id, name) VALUES (?, ?)");
-    $stmt->execute([$_POST['outlet_id'], $_POST['name']]);
-    header("Location: areas.php");
-    exit;
+    if (!has_permission('areas_add')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to add areas.</div>';
+    } else {
+        $stmt = $pdo->prepare("INSERT INTO areas (outlet_id, name) VALUES (?, ?)");
+        $stmt->execute([$_POST['outlet_id'], $_POST['name']]);
+        header("Location: areas.php");
+        exit;
+    }
 }
 
 if (isset($_GET['delete'])) {
-    $pdo->prepare("DELETE FROM areas WHERE id = ?")->execute([$_GET['delete']]);
-    header("Location: areas.php");
-    exit;
+    if (!has_permission('areas_del')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to delete areas.</div>';
+    } else {
+        $pdo->prepare("DELETE FROM areas WHERE id = ?")->execute([$_GET['delete']]);
+        header("Location: areas.php");
+        exit;
+    }
 }
 
 // Fetch areas with outlet names
@@ -34,11 +44,15 @@ include 'includes/header.php';
 
 <div class="d-flex justify-content-between align-items-center mb-4">
     <h2 class="fw-bold mb-0">Areas</h2>
+    <?php if (has_permission('areas_add')): ?>
     <button class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#addAreaModal">
         <i class="bi bi-plus-lg"></i> Add Area
     </button>
+    <?php endif; ?>
 </div>
 
+<?= $message ?>
+
 <div class="card border-0 shadow-sm">
     <div class="card-body p-0">
         <!-- Pagination Controls -->
@@ -62,8 +76,13 @@ include 'includes/header.php';
                         <td class="fw-bold"><?= htmlspecialchars($area['name']) ?></td>
                         <td><span class="badge bg-info text-dark"><?= htmlspecialchars($area['outlet_name'] ?? 'N/A') ?></span></td>
                         <td>
+                            <?php if (has_permission('areas_add')): ?>
                             <a href="area_edit.php?id=<?= $area['id'] ?>" class="btn btn-sm btn-outline-primary me-1" title="Edit"><i class="bi bi-pencil"></i></a>
+                            <?php endif; ?>
+                            
+                            <?php if (has_permission('areas_del')): ?>
                             <a href="?delete=<?= $area['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Delete this area?')" title="Delete"><i class="bi bi-trash"></i></a>
+                            <?php endif; ?>
                         </td>
                     </tr>
                     <?php endforeach; ?>
@@ -83,6 +102,7 @@ include 'includes/header.php';
 </div>
 
 <!-- Add Area Modal -->
+<?php if (has_permission('areas_add')): ?>
 <div class="modal fade" id="addAreaModal" tabindex="-1">
     <div class="modal-dialog">
         <div class="modal-content">
@@ -115,5 +135,6 @@ include 'includes/header.php';
         </div>
     </div>
 </div>
+<?php endif; ?>
 
 <?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/categories.php b/admin/categories.php
index 7d2c7d0..7758e83 100644
--- a/admin/categories.php
+++ b/admin/categories.php
@@ -4,11 +4,18 @@ require_permission("categories_view");
 require_once __DIR__ . '/../db/config.php';
 $pdo = db();
 
+$message = '';
+
+// Handle Delete
 if (isset($_GET['delete'])) {
-    $id = $_GET['delete'];
-    $pdo->prepare("DELETE FROM categories WHERE id = ?")->execute([$id]);
-    header("Location: categories.php");
-    exit;
+    if (!has_permission('categories_del')) {
+        $message = '<div class="alert alert-danger border-0 shadow-sm rounded-3">Access Denied: You do not have permission to delete categories.</div>';
+    } else {
+        $id = $_GET['delete'];
+        $pdo->prepare("DELETE FROM categories WHERE id = ?")->execute([$id]);
+        header("Location: categories.php");
+        exit;
+    }
 }
 
 $query = "SELECT * FROM categories ORDER BY sort_order ASC, name ASC";
@@ -20,11 +27,15 @@ include 'includes/header.php';
 
 <div class="d-flex justify-content-between align-items-center mb-4">
     <h2 class="fw-bold mb-0">Categories</h2>
+    <?php if (has_permission('categories_add')): ?>
     <a href="category_edit.php" class="btn btn-primary">
         <i class="bi bi-plus-lg"></i> Add Category
     </a>
+    <?php endif; ?>
 </div>
 
+<?= $message ?>
+
 <div class="card border-0 shadow-sm">
     <div class="card-body p-0">
         <!-- Pagination Controls -->
@@ -61,8 +72,13 @@ include 'includes/header.php';
                         <td><?= htmlspecialchars($cat['name']) ?></td>
                         <td><?= $cat['sort_order'] ?></td>
                         <td class="text-end pe-4">
+                            <?php if (has_permission('categories_add')): ?>
                             <a href="category_edit.php?id=<?= $cat['id'] ?>" class="btn btn-sm btn-outline-primary me-1"><i class="bi bi-pencil"></i></a>
+                            <?php endif; ?>
+                            
+                            <?php if (has_permission('categories_del')): ?>
                             <a href="?delete=<?= $cat['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure? This might break products linked to this category.')"><i class="bi bi-trash"></i></a>
+                            <?php endif; ?>
                         </td>
                     </tr>
                     <?php endforeach; ?>
diff --git a/admin/company.php b/admin/company.php
index 53f5b4c..e771a51 100644
--- a/admin/company.php
+++ b/admin/company.php
@@ -9,78 +9,82 @@ $settings = get_company_settings();
 
 // Handle Update
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $company_name = $_POST['company_name'] ?? '';
-    $address = $_POST['address'] ?? '';
-    $phone = $_POST['phone'] ?? '';
-    $email = $_POST['email'] ?? '';
-    $vat_rate = $_POST['vat_rate'] ?? 0;
-    $currency_symbol = $_POST['currency_symbol'] ?? '$';
-    $currency_decimals = $_POST['currency_decimals'] ?? 2;
-    $ctr_number = $_POST['ctr_number'] ?? '';
-    $vat_number = $_POST['vat_number'] ?? '';
+    if (!has_permission('settings_add')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to update settings.</div>';
+    } else {
+        $company_name = $_POST['company_name'] ?? '';
+        $address = $_POST['address'] ?? '';
+        $phone = $_POST['phone'] ?? '';
+        $email = $_POST['email'] ?? '';
+        $vat_rate = $_POST['vat_rate'] ?? 0;
+        $currency_symbol = $_POST['currency_symbol'] ?? '$';
+        $currency_decimals = $_POST['currency_decimals'] ?? 2;
+        $ctr_number = $_POST['ctr_number'] ?? '';
+        $vat_number = $_POST['vat_number'] ?? '';
 
-    // Handle File Uploads
-    $uploadDir = __DIR__ . '/../assets/images/company/';
-    if (!is_dir($uploadDir)) {
-        mkdir($uploadDir, 0755, true);
-    }
+        // Handle File Uploads
+        $uploadDir = __DIR__ . '/../assets/images/company/';
+        if (!is_dir($uploadDir)) {
+            mkdir($uploadDir, 0755, true);
+        }
 
-    $logo_url = $settings['logo_url'] ?? null;
-    $favicon_url = $settings['favicon_url'] ?? null;
+        $logo_url = $settings['logo_url'] ?? null;
+        $favicon_url = $settings['favicon_url'] ?? null;
 
-    // Logo Upload
-    if (isset($_FILES['logo']) && $_FILES['logo']['error'] === UPLOAD_ERR_OK) {
-        $fileInfo = pathinfo($_FILES['logo']['name']);
-        $fileExt = strtolower($fileInfo['extension']);
-        $allowedExts = ['jpg', 'jpeg', 'png', 'gif', 'webp', 'svg'];
+        // Logo Upload
+        if (isset($_FILES['logo']) && $_FILES['logo']['error'] === UPLOAD_ERR_OK) {
+            $fileInfo = pathinfo($_FILES['logo']['name']);
+            $fileExt = strtolower($fileInfo['extension']);
+            $allowedExts = ['jpg', 'jpeg', 'png', 'gif', 'webp', 'svg'];
 
-        if (in_array($fileExt, $allowedExts)) {
-            $fileName = 'logo_' . uniqid() . '.' . $fileExt;
-            $targetFile = $uploadDir . $fileName;
-            if (move_uploaded_file($_FILES['logo']['tmp_name'], $targetFile)) {
-                $logo_url = 'assets/images/company/' . $fileName;
+            if (in_array($fileExt, $allowedExts)) {
+                $fileName = 'logo_' . uniqid() . '.' . $fileExt;
+                $targetFile = $uploadDir . $fileName;
+                if (move_uploaded_file($_FILES['logo']['tmp_name'], $targetFile)) {
+                    $logo_url = 'assets/images/company/' . $fileName;
+                }
             }
         }
-    }
 
-    // Favicon Upload
-    if (isset($_FILES['favicon']) && $_FILES['favicon']['error'] === UPLOAD_ERR_OK) {
-        $fileInfo = pathinfo($_FILES['favicon']['name']);
-        $fileExt = strtolower($fileInfo['extension']);
-        $allowedExts = ['ico', 'png', 'svg']; // Favicons are usually ico/png/svg
+        // Favicon Upload
+        if (isset($_FILES['favicon']) && $_FILES['favicon']['error'] === UPLOAD_ERR_OK) {
+            $fileInfo = pathinfo($_FILES['favicon']['name']);
+            $fileExt = strtolower($fileInfo['extension']);
+            $allowedExts = ['ico', 'png', 'svg']; // Favicons are usually ico/png/svg
 
-        if (in_array($fileExt, $allowedExts)) {
-            $fileName = 'favicon_' . uniqid() . '.' . $fileExt;
-            $targetFile = $uploadDir . $fileName;
-            if (move_uploaded_file($_FILES['favicon']['tmp_name'], $targetFile)) {
-                $favicon_url = 'assets/images/company/' . $fileName;
+            if (in_array($fileExt, $allowedExts)) {
+                $fileName = 'favicon_' . uniqid() . '.' . $fileExt;
+                $targetFile = $uploadDir . $fileName;
+                if (move_uploaded_file($_FILES['favicon']['tmp_name'], $targetFile)) {
+                    $favicon_url = 'assets/images/company/' . $fileName;
+                }
             }
         }
-    }
 
-    try {
-        // Check if row exists
-        $exists = $pdo->query("SELECT COUNT(*) FROM company_settings")->fetchColumn();
-        
-        if ($exists) {
-            $stmt = $pdo->prepare("UPDATE company_settings SET company_name=?, address=?, phone=?, email=?, vat_rate=?, currency_symbol=?, currency_decimals=?, ctr_number=?, vat_number=?, logo_url=?, favicon_url=?, updated_at=NOW()");
-            $stmt->execute([$company_name, $address, $phone, $email, $vat_rate, $currency_symbol, $currency_decimals, $ctr_number, $vat_number, $logo_url, $favicon_url]);
-        } else {
-            $stmt = $pdo->prepare("INSERT INTO company_settings (company_name, address, phone, email, vat_rate, currency_symbol, currency_decimals, ctr_number, vat_number, logo_url, favicon_url) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
-            $stmt->execute([$company_name, $address, $phone, $email, $vat_rate, $currency_symbol, $currency_decimals, $ctr_number, $vat_number, $logo_url, $favicon_url]);
+        try {
+            // Check if row exists
+            $exists = $pdo->query("SELECT COUNT(*) FROM company_settings")->fetchColumn();
+            
+            if ($exists) {
+                $stmt = $pdo->prepare("UPDATE company_settings SET company_name=?, address=?, phone=?, email=?, vat_rate=?, currency_symbol=?, currency_decimals=?, ctr_number=?, vat_number=?, logo_url=?, favicon_url=?, updated_at=NOW()");
+                $stmt->execute([$company_name, $address, $phone, $email, $vat_rate, $currency_symbol, $currency_decimals, $ctr_number, $vat_number, $logo_url, $favicon_url]);
+            } else {
+                $stmt = $pdo->prepare("INSERT INTO company_settings (company_name, address, phone, email, vat_rate, currency_symbol, currency_decimals, ctr_number, vat_number, logo_url, favicon_url) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
+                $stmt->execute([$company_name, $address, $phone, $email, $vat_rate, $currency_symbol, $currency_decimals, $ctr_number, $vat_number, $logo_url, $favicon_url]);
+            }
+            
+            $message = '<div class="alert alert-success">Company settings updated successfully!</div>';
+            // Refresh settings
+            $settings = get_company_settings(); // Re-fetch to get updated values
+            // Manually update immediate values for display if fetch is cached/laggy (though re-fetch is better)
+            $settings['ctr_number'] = $ctr_number;
+            $settings['vat_number'] = $vat_number;
+            $settings['logo_url'] = $logo_url;
+            $settings['favicon_url'] = $favicon_url;
+
+        } catch (Exception $e) {
+            $message = '<div class="alert alert-danger">Error updating settings: ' . htmlspecialchars($e->getMessage()) . '</div>';
         }
-        
-        $message = '<div class="alert alert-success">Company settings updated successfully!</div>';
-        // Refresh settings
-        $settings = get_company_settings(); // Re-fetch to get updated values
-        // Manually update immediate values for display if fetch is cached/laggy (though re-fetch is better)
-        $settings['ctr_number'] = $ctr_number;
-        $settings['vat_number'] = $vat_number;
-        $settings['logo_url'] = $logo_url;
-        $settings['favicon_url'] = $favicon_url;
-
-    } catch (Exception $e) {
-        $message = '<div class="alert alert-danger">Error updating settings: ' . htmlspecialchars($e->getMessage()) . '</div>';
     }
 }
 
@@ -99,19 +103,19 @@ include 'includes/header.php';
             <div class="row">
                 <div class="col-md-6 mb-3">
                     <label class="form-label">Company Name</label>
-                    <input type="text" name="company_name" class="form-control" value="<?= htmlspecialchars($settings['company_name'] ?? '') ?>" required>
+                    <input type="text" name="company_name" class="form-control" value="<?= htmlspecialchars($settings['company_name'] ?? '') ?>" required <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                 </div>
                 <div class="col-md-6 mb-3">
                     <label class="form-label">Email</label>
-                    <input type="email" name="email" class="form-control" value="<?= htmlspecialchars($settings['email'] ?? '') ?>">
+                    <input type="email" name="email" class="form-control" value="<?= htmlspecialchars($settings['email'] ?? '') ?>" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                 </div>
                 <div class="col-md-6 mb-3">
                     <label class="form-label">Phone</label>
-                    <input type="text" name="phone" class="form-control" value="<?= htmlspecialchars($settings['phone'] ?? '') ?>">
+                    <input type="text" name="phone" class="form-control" value="<?= htmlspecialchars($settings['phone'] ?? '') ?>" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                 </div>
                 <div class="col-md-12 mb-3">
                     <label class="form-label">Address</label>
-                    <textarea name="address" class="form-control" rows="3"><?= htmlspecialchars($settings['address'] ?? '') ?></textarea>
+                    <textarea name="address" class="form-control" rows="3" <?= !has_permission('settings_add') ? 'readonly' : '' ?>><?= htmlspecialchars($settings['address'] ?? '') ?></textarea>
                 </div>
             </div>
 
@@ -120,11 +124,11 @@ include 'includes/header.php';
             <div class="row">
                  <div class="col-md-6 mb-3">
                     <label class="form-label">CTR No (Company Tax Registration)</label>
-                    <input type="text" name="ctr_number" class="form-control" value="<?= htmlspecialchars($settings['ctr_number'] ?? '') ?>" placeholder="e.g. 123456789">
+                    <input type="text" name="ctr_number" class="form-control" value="<?= htmlspecialchars($settings['ctr_number'] ?? '') ?>" placeholder="e.g. 123456789" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                 </div>
                 <div class="col-md-6 mb-3">
                     <label class="form-label">VAT No (Value Added Tax Number)</label>
-                    <input type="text" name="vat_number" class="form-control" value="<?= htmlspecialchars($settings['vat_number'] ?? '') ?>" placeholder="e.g. VAT-987654321">
+                    <input type="text" name="vat_number" class="form-control" value="<?= htmlspecialchars($settings['vat_number'] ?? '') ?>" placeholder="e.g. VAT-987654321" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                 </div>
             </div>
 
@@ -135,17 +139,17 @@ include 'includes/header.php';
                 <div class="col-md-4 mb-3">
                     <label class="form-label">VAT Rate (%)</label>
                     <div class="input-group">
-                        <input type="number" step="0.01" name="vat_rate" class="form-control" value="<?= htmlspecialchars($settings['vat_rate'] ?? 0) ?>">
+                        <input type="number" step="0.01" name="vat_rate" class="form-control" value="<?= htmlspecialchars($settings['vat_rate'] ?? 0) ?>" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                         <span class="input-group-text">%</span>
                     </div>
                 </div>
                 <div class="col-md-4 mb-3">
                     <label class="form-label">Currency Symbol</label>
-                    <input type="text" name="currency_symbol" class="form-control" value="<?= htmlspecialchars($settings['currency_symbol'] ?? '$') ?>" placeholder="e.g. $, €, £">
+                    <input type="text" name="currency_symbol" class="form-control" value="<?= htmlspecialchars($settings['currency_symbol'] ?? '$') ?>" placeholder="e.g. $, €, £" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                 </div>
                 <div class="col-md-4 mb-3">
                     <label class="form-label">Decimal Places</label>
-                    <input type="number" name="currency_decimals" class="form-control" value="<?= htmlspecialchars($settings['currency_decimals'] ?? 2) ?>" min="0" max="4">
+                    <input type="number" name="currency_decimals" class="form-control" value="<?= htmlspecialchars($settings['currency_decimals'] ?? 2) ?>" min="0" max="4" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                 </div>
             </div>
 
@@ -160,9 +164,13 @@ include 'includes/header.php';
                                 <img src="<?= htmlspecialchars('../' . $settings['logo_url']) ?>" alt="Logo" style="height: 60px; max-width: 100px; object-fit: contain;">
                             </div>
                         <?php endif; ?>
+                        <?php if (has_permission('settings_add')): ?>
                         <input type="file" name="logo" class="form-control" accept="image/*">
+                        <?php endif; ?>
                     </div>
+                    <?php if (has_permission('settings_add')): ?>
                     <div class="form-text">Recommended: PNG or SVG with transparent background.</div>
+                    <?php endif; ?>
                 </div>
 
                 <div class="col-md-6 mb-3">
@@ -173,17 +181,23 @@ include 'includes/header.php';
                                 <img src="<?= htmlspecialchars('../' . $settings['favicon_url']) ?>" alt="Favicon" style="height: 32px; width: 32px; object-fit: contain;">
                             </div>
                         <?php endif; ?>
+                        <?php if (has_permission('settings_add')): ?>
                         <input type="file" name="favicon" class="form-control" accept=".ico,.png,.svg">
+                        <?php endif; ?>
                     </div>
+                    <?php if (has_permission('settings_add')): ?>
                     <div class="form-text">Recommended: 32x32 ICO or PNG.</div>
+                    <?php endif; ?>
                 </div>
             </div>
 
+            <?php if (has_permission('settings_add')): ?>
             <div class="mt-4">
                 <button type="submit" class="btn btn-primary">
                     <i class="bi bi-save"></i> Save Changes
                 </button>
             </div>
+            <?php endif; ?>
         </form>
     </div>
 </div>
diff --git a/admin/customers.php b/admin/customers.php
index eb81f2d..8587496 100644
--- a/admin/customers.php
+++ b/admin/customers.php
@@ -8,25 +8,33 @@ $message = '';
 
 // Handle Add Customer
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'add_customer') {
-    $name = $_POST['name'];
-    $email = $_POST['email'];
-    $phone = $_POST['phone'];
-    $address = $_POST['address'];
-
-    $stmt = $pdo->prepare("INSERT INTO customers (name, email, phone, address) VALUES (?, ?, ?, ?)");
-    if ($stmt->execute([$name, $email, $phone, $address])) {
-        $message = '<div class="alert alert-success">Customer added successfully!</div>';
+    if (!has_permission('customers_add')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to add customers.</div>';
     } else {
-        $message = '<div class="alert alert-danger">Error adding customer.</div>';
+        $name = $_POST['name'];
+        $email = $_POST['email'];
+        $phone = $_POST['phone'];
+        $address = $_POST['address'];
+
+        $stmt = $pdo->prepare("INSERT INTO customers (name, email, phone, address) VALUES (?, ?, ?, ?)");
+        if ($stmt->execute([$name, $email, $phone, $address])) {
+            $message = '<div class="alert alert-success">Customer added successfully!</div>';
+        } else {
+            $message = '<div class="alert alert-danger">Error adding customer.</div>';
+        }
     }
 }
 
 // Handle Delete
 if (isset($_GET['delete'])) {
-    $id = $_GET['delete'];
-    $pdo->prepare("DELETE FROM customers WHERE id = ?")->execute([$id]);
-    header("Location: customers.php");
-    exit;
+    if (!has_permission('customers_del')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to delete customers.</div>';
+    } else {
+        $id = $_GET['delete'];
+        $pdo->prepare("DELETE FROM customers WHERE id = ?")->execute([$id]);
+        header("Location: customers.php");
+        exit;
+    }
 }
 
 // Fetch Customers
@@ -39,9 +47,11 @@ include 'includes/header.php';
 
 <div class="d-flex justify-content-between align-items-center mb-4">
     <h2 class="fw-bold mb-0">Customers</h2>
+    <?php if (has_permission('customers_add')): ?>
     <button class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#addCustomerModal">
         <i class="bi bi-plus-lg"></i> Add Customer
     </button>
+    <?php endif; ?>
 </div>
 
 <?= $message ?>
@@ -76,8 +86,13 @@ include 'includes/header.php';
                         </td>
                         <td>
                             <div class="btn-group">
+                                <?php if (has_permission('customers_add')): ?>
                                 <a href="customer_edit.php?id=<?= $customer['id'] ?>" class="btn btn-sm btn-outline-primary" title="Edit Customer"><i class="bi bi-pencil"></i></a>
+                                <?php endif; ?>
+                                
+                                <?php if (has_permission('customers_del')): ?>
                                 <a href="?delete=<?= $customer['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure?')" title="Delete"><i class="bi bi-trash"></i></a>
+                                <?php endif; ?>
                             </div>
                         </td>
                     </tr>
@@ -98,6 +113,7 @@ include 'includes/header.php';
 </div>
 
 <!-- Add Customer Modal -->
+<?php if (has_permission('customers_add')): ?>
 <div class="modal fade" id="addCustomerModal" tabindex="-1">
     <div class="modal-dialog">
         <div class="modal-content">
@@ -133,5 +149,6 @@ include 'includes/header.php';
         </div>
     </div>
 </div>
+<?php endif; ?>
 
-<?php include 'includes/footer.php'; ?>
+<?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/expense_categories.php b/admin/expense_categories.php
index 529f55c..71e1968 100644
--- a/admin/expense_categories.php
+++ b/admin/expense_categories.php
@@ -4,19 +4,23 @@ require_permission("expense_categories_view");
 require_once __DIR__ . '/../db/config.php';
 $pdo = db();
 
+$message = '';
+
 if (isset($_GET['delete'])) {
-    $id = $_GET['delete'];
-    // Check if there are expenses linked to this category
-    $stmt = $pdo->prepare("SELECT COUNT(*) FROM expenses WHERE category_id = ?");
-    $stmt->execute([$id]);
-    if ($stmt->fetchColumn() > 0) {
-        $_SESSION['error'] = "Cannot delete category as it has linked expenses.";
+    if (!has_permission('expense_categories_del')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to delete expense categories.</div>';
     } else {
-        $pdo->prepare("DELETE FROM expense_categories WHERE id = ?")->execute([$id]);
-        $_SESSION['success'] = "Category deleted successfully.";
+        $id = $_GET['delete'];
+        // Check if there are expenses linked to this category
+        $stmt = $pdo->prepare("SELECT COUNT(*) FROM expenses WHERE category_id = ?");
+        $stmt->execute([$id]);
+        if ($stmt->fetchColumn() > 0) {
+            $message = '<div class="alert alert-danger">Cannot delete category as it has linked expenses.</div>';
+        } else {
+            $pdo->prepare("DELETE FROM expense_categories WHERE id = ?")->execute([$id]);
+            $message = '<div class="alert alert-success">Category deleted successfully.</div>';
+        }
     }
-    header("Location: expense_categories.php");
-    exit;
 }
 
 $query = "SELECT * FROM expense_categories ORDER BY name ASC";
@@ -28,17 +32,14 @@ include 'includes/header.php';
 
 <div class="d-flex justify-content-between align-items-center mb-4">
     <h2 class="fw-bold mb-0">Expense Categories</h2>
+    <?php if (has_permission('expense_categories_add')): ?>
     <a href="expense_category_edit.php" class="btn btn-primary">
         <i class="bi bi-plus-lg"></i> Add Category
     </a>
+    <?php endif; ?>
 </div>
 
-<?php if (isset($_SESSION['error'])): ?>
-    <div class="alert alert-danger"><?= $_SESSION['error']; unset($_SESSION['error']); ?></div>
-<?php endif; ?>
-<?php if (isset($_SESSION['success'])): ?>
-    <div class="alert alert-success"><?= $_SESSION['success']; unset($_SESSION['success']); ?></div>
-<?php endif; ?>
+<?= $message ?>
 
 <div class="card border-0 shadow-sm">
     <div class="card-body p-0">
@@ -62,8 +63,13 @@ include 'includes/header.php';
                         <td><?= htmlspecialchars($cat['name']) ?></td>
                         <td><?= htmlspecialchars($cat['description'] ?? '') ?></td>
                         <td class="text-end pe-4">
+                            <?php if (has_permission('expense_categories_add')): ?>
                             <a href="expense_category_edit.php?id=<?= $cat['id'] ?>" class="btn btn-sm btn-outline-primary me-1"><i class="bi bi-pencil"></i></a>
+                            <?php endif; ?>
+                            
+                            <?php if (has_permission('expense_categories_del')): ?>
                             <a href="?delete=<?= $cat['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure?')"><i class="bi bi-trash"></i></a>
+                            <?php endif; ?>
                         </td>
                     </tr>
                     <?php endforeach; ?>
@@ -81,4 +87,4 @@ include 'includes/header.php';
     </div>
 </div>
 
-<?php include 'includes/footer.php'; ?>
+<?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/expenses.php b/admin/expenses.php
index f376a5e..0ce09b6 100644
--- a/admin/expenses.php
+++ b/admin/expenses.php
@@ -7,7 +7,7 @@ $pdo = db();
 $message = '';
 
 if (isset($_GET['delete'])) {
-    if (!has_permission('expenses_delete')) {
+    if (!has_permission('expenses_del')) {
         $message = '<div class="alert alert-danger">Access Denied: You do not have permission to delete expenses.</div>';
     } else {
         $id = $_GET['delete'];
@@ -131,10 +131,10 @@ include 'includes/header.php';
                         <td><?= htmlspecialchars($exp['description']) ?></td>
                         <td class="fw-bold"><?= format_currency($exp['amount']) ?></td>
                         <td class="text-end pe-4">
-                            <?php if (has_permission('expenses_edit')): ?>
+                            <?php if (has_permission('expenses_add')): ?>
                             <a href="expense_edit.php?id=<?= $exp['id'] ?>" class="btn btn-sm btn-outline-primary me-1"><i class="bi bi-pencil"></i></a>
                             <?php endif; ?>
-                            <?php if (has_permission('expenses_delete')): ?>
+                            <?php if (has_permission('expenses_del')): ?>
                             <a href="?delete=<?= $exp['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure?')"><i class="bi bi-trash"></i></a>
                             <?php endif; ?>
                         </td>
@@ -154,4 +154,4 @@ include 'includes/header.php';
     </div>
 </div>
 
-<?php include 'includes/footer.php'; ?>
+<?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/index.php b/admin/index.php
index 1209cf7..bc7d0a4 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -5,169 +5,205 @@ require_once __DIR__ . '/../includes/functions.php';
 $pdo = db();
 require_permission('dashboard_view');
 
-// Fetch Dashboard Stats
-$today = date('Y-m-d');
+// Check if user should see the detailed dashboard or the simplified one
+// We'll use 'dashboard_add' as a proxy for 'detailed' access, or Super Admin (all)
+$isDetailed = has_permission('dashboard_add') || has_permission('all');
 
-// Total Revenue Today
-$stmt = $pdo->prepare("SELECT SUM(total_amount) FROM orders WHERE DATE(created_at) = ? AND status != 'cancelled'");
-$stmt->execute([$today]);
-$revenueToday = $stmt->fetchColumn() ?: 0;
+if ($isDetailed) {
+    // Fetch Dashboard Stats
+    $today = date('Y-m-d');
 
-// Total Orders Today
-$stmt = $pdo->prepare("SELECT COUNT(*) FROM orders WHERE DATE(created_at) = ?");
-$stmt->execute([$today]);
-$ordersToday = $stmt->fetchColumn();
+    // Total Revenue Today
+    $stmt = $pdo->prepare("SELECT SUM(total_amount) FROM orders WHERE DATE(created_at) = ? AND status != 'cancelled'");
+    $stmt->execute([$today]);
+    $revenueToday = $stmt->fetchColumn() ?: 0;
 
-// Active Outlets
-$outletsCount = $pdo->query("SELECT COUNT(*) FROM outlets")->fetchColumn();
+    // Total Orders Today
+    $stmt = $pdo->prepare("SELECT COUNT(*) FROM orders WHERE DATE(created_at) = ?");
+    $stmt->execute([$today]);
+    $ordersToday = $stmt->fetchColumn();
 
-// Total Products
-$productsCount = $pdo->query("SELECT COUNT(*) FROM products")->fetchColumn();
+    // Active Outlets
+    $outletsCount = $pdo->query("SELECT COUNT(*) FROM outlets")->fetchColumn();
 
-// Recent Orders
-$recentOrders = $pdo->query("SELECT o.*, 
-    (SELECT GROUP_CONCAT(p.name SEPARATOR ', ') FROM order_items oi JOIN products p ON oi.product_id = p.id WHERE oi.order_id = o.id) as items
-    FROM orders o ORDER BY created_at DESC LIMIT 5")->fetchAll();
+    // Total Products
+    $productsCount = $pdo->query("SELECT COUNT(*) FROM products")->fetchColumn();
+
+    // Recent Orders
+    $recentOrders = $pdo->query("SELECT o.*, 
+        (SELECT GROUP_CONCAT(p.name SEPARATOR ', ') FROM order_items oi JOIN products p ON oi.product_id = p.id WHERE oi.order_id = o.id) as items
+        FROM orders o ORDER BY created_at DESC LIMIT 5")->fetchAll();
+}
 
 include 'includes/header.php';
 ?>
 
-<div class="d-flex justify-content-between align-items-center mb-4">
-    <div>
-        <h2 class="fw-bold mb-1">Dashboard</h2>
-        <p class="text-muted">Welcome back, <?= htmlspecialchars($userName) ?>!</p>
+<?php if ($isDetailed): ?>
+    <div class="d-flex justify-content-between align-items-center mb-4">
+        <div>
+            <h2 class="fw-bold mb-1">Dashboard</h2>
+            <p class="text-muted">Welcome back, <?= htmlspecialchars($userName) ?>!</p>
+        </div>
+        <?php if (has_permission('orders_add')): ?>
+        <div>
+            <a href="../pos.php" class="btn btn-primary"><i class="bi bi-plus-lg me-1"></i> New Order</a>
+        </div>
+        <?php endif; ?>
     </div>
-    <?php if (has_permission('orders_add')): ?>
-    <div>
-        <a href="../pos.php" class="btn btn-primary"><i class="bi bi-plus-lg me-1"></i> New Order</a>
-    </div>
-    <?php endif; ?>
-</div>
 
-<div class="row g-4 mb-4">
-    <!-- Revenue Card -->
-    <div class="col-md-3">
-        <div class="card stat-card h-100 p-3">
-            <div class="d-flex align-items-center">
-                <div class="icon-box bg-success bg-opacity-10 text-success me-3">
-                    <i class="bi bi-currency-dollar"></i>
-                </div>
-                <div>
-                    <h6 class="text-muted mb-0">Today's Revenue</h6>
-                    <h3 class="fw-bold mb-0"><?= format_currency($revenueToday) ?></h3>
+    <div class="row g-4 mb-4">
+        <!-- Revenue Card -->
+        <div class="col-md-3">
+            <div class="card stat-card h-100 p-3">
+                <div class="d-flex align-items-center">
+                    <div class="icon-box bg-success bg-opacity-10 text-success me-3">
+                        <i class="bi bi-currency-dollar"></i>
+                    </div>
+                    <div>
+                        <h6 class="text-muted mb-0">Today's Revenue</h6>
+                        <h3 class="fw-bold mb-0"><?= format_currency($revenueToday) ?></h3>
+                    </div>
                 </div>
             </div>
         </div>
-    </div>
-    
-    <!-- Orders Card -->
-    <div class="col-md-3">
-        <div class="card stat-card h-100 p-3">
-            <div class="d-flex align-items-center">
-                <div class="icon-box bg-primary bg-opacity-10 text-primary me-3">
-                    <i class="bi bi-receipt"></i>
+        
+        <!-- Orders Card -->
+        <div class="col-md-3">
+            <div class="card stat-card h-100 p-3">
+                <div class="d-flex align-items-center">
+                    <div class="icon-box bg-primary bg-opacity-10 text-primary me-3">
+                        <i class="bi bi-receipt"></i>
+                    </div>
+                    <div>
+                        <h6 class="text-muted mb-0">Orders Today</h6>
+                        <h3 class="fw-bold mb-0"><?= $ordersToday ?></h3>
+                    </div>
                 </div>
-                <div>
-                    <h6 class="text-muted mb-0">Orders Today</h6>
-                    <h3 class="fw-bold mb-0"><?= $ordersToday ?></h3>
+            </div>
+        </div>
+
+        <!-- Outlets Card -->
+        <div class="col-md-3">
+            <div class="card stat-card h-100 p-3">
+                <div class="d-flex align-items-center">
+                    <div class="icon-box bg-warning bg-opacity-10 text-warning me-3">
+                        <i class="bi bi-shop"></i>
+                    </div>
+                    <div>
+                        <h6 class="text-muted mb-0">Active Outlets</h6>
+                        <h3 class="fw-bold mb-0"><?= $outletsCount ?></h3>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <!-- Products Card -->
+        <div class="col-md-3">
+            <div class="card stat-card h-100 p-3">
+                <div class="d-flex align-items-center">
+                    <div class="icon-box bg-info bg-opacity-10 text-info me-3">
+                        <i class="bi bi-box-seam"></i>
+                    </div>
+                    <div>
+                        <h6 class="text-muted mb-0">Total Products</h6>
+                        <h3 class="fw-bold mb-0"><?= $productsCount ?></h3>
+                    </div>
                 </div>
             </div>
         </div>
     </div>
 
-    <!-- Outlets Card -->
-    <div class="col-md-3">
-        <div class="card stat-card h-100 p-3">
-            <div class="d-flex align-items-center">
-                <div class="icon-box bg-warning bg-opacity-10 text-warning me-3">
-                    <i class="bi bi-shop"></i>
-                </div>
-                <div>
-                    <h6 class="text-muted mb-0">Active Outlets</h6>
-                    <h3 class="fw-bold mb-0"><?= $outletsCount ?></h3>
-                </div>
+    <!-- Recent Orders Table -->
+    <div class="card border-0 shadow-sm rounded-3">
+        <div class="card-header bg-white border-bottom py-3">
+            <h5 class="mb-0 fw-bold">Recent Orders</h5>
+        </div>
+        <div class="card-body p-0">
+            <div class="table-responsive">
+                <table class="table align-middle mb-0">
+                    <thead class="bg-light">
+                        <tr>
+                            <th class="ps-4">ID</th>
+                            <th>Type</th>
+                            <th>Table/Customer</th>
+                            <th>Total</th>
+                            <th>Status</th>
+                            <th>Date</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        <?php foreach ($recentOrders as $order): ?>
+                        <tr>
+                            <td class="ps-4 fw-medium">#<?= $order['id'] ?></td>
+                            <td>
+                                <?php 
+                                    $badge = match($order['order_type']) {
+                                        'dine-in' => 'bg-info',
+                                        'takeaway' => 'bg-success',
+                                        'delivery' => 'bg-warning',
+                                        'drive-thru' => 'bg-purple',
+                                        default => 'bg-secondary'
+                                    };
+                                ?>
+                                <span class="badge <?= $badge ?> text-dark bg-opacity-25 border border-<?= str_replace('bg-', '', $badge) ?>"><?= ucfirst($order['order_type']) ?></span>
+                            </td>
+                            <td>
+                                <?php if ($order['table_number']): ?>
+                                    Table <?= htmlspecialchars($order['table_number']) ?>
+                                <?php else: ?>
+                                    <?= htmlspecialchars($order['customer_name'] ?? 'Guest') ?>
+                                <?php endif; ?>
+                            </td>
+                            <td class="fw-bold"><?= format_currency($order['total_amount']) ?></td>
+                            <td>
+                                <span class="status-badge status-<?= $order['status'] ?> badge rounded-pill">
+                                    <?= ucfirst($order['status']) ?>
+                                </span>
+                            </td>
+                            <td class="text-muted small"><?= date('M d, H:i', strtotime($order['created_at'])) ?></td>
+                        </tr>
+                        <?php endforeach; ?>
+                        <?php if (empty($recentOrders)): ?>
+                            <tr><td colspan="6" class="text-center py-4 text-muted">No recent orders found.</td></tr>
+                        <?php endif; ?>
+                    </tbody>
+                </table>
             </div>
         </div>
+        <?php if (has_permission('orders_view')): ?>
+        <div class="card-footer bg-white text-center py-3">
+            <a href="orders.php" class="text-decoration-none fw-medium">View All Orders</a>
+        </div>
+        <?php endif; ?>
     </div>
-
-    <!-- Products Card -->
-    <div class="col-md-3">
-        <div class="card stat-card h-100 p-3">
-            <div class="d-flex align-items-center">
-                <div class="icon-box bg-info bg-opacity-10 text-info me-3">
-                    <i class="bi bi-box-seam"></i>
+<?php else: ?>
+    <!-- Simplified Dashboard -->
+    <div class="d-flex flex-column align-items-center justify-content-center py-5 mt-5">
+        <div class="mb-4">
+            <?php if ($logoUrl): ?>
+                <img src="../<?= htmlspecialchars($logoUrl) ?>" alt="<?= htmlspecialchars($companyName) ?>" style="max-height: 120px; max-width: 100%; filter: drop-shadow(0 10px 15px rgba(0,0,0,0.1));">
+            <?php else: ?>
+                <div class="bg-primary bg-opacity-10 text-primary p-4 rounded-circle mb-3 shadow-sm" style="width: 120px; height: 120px; display: flex; align-items: center; justify-content: center;">
+                    <i class="bi bi-shop fs-1"></i>
                 </div>
-                <div>
-                    <h6 class="text-muted mb-0">Total Products</h6>
-                    <h3 class="fw-bold mb-0"><?= $productsCount ?></h3>
-                </div>
-            </div>
+            <?php endif; ?>
+        </div>
+        <h1 class="fw-bold text-center mb-2"><?= htmlspecialchars($companyName) ?></h1>
+        <p class="text-muted text-center fs-5 mb-4">Welcome to the Admin Panel, <?= htmlspecialchars($userName) ?>!</p>
+        
+        <div class="d-flex gap-3 mt-4">
+            <?php if (has_permission('pos_view')): ?>
+            <a href="../pos.php" class="btn btn-primary btn-lg rounded-pill px-5 shadow-sm">
+                <i class="bi bi-display me-2"></i> POS Terminal
+            </a>
+            <?php endif; ?>
+            <?php if (has_permission('kitchen_view')): ?>
+            <a href="../kitchen.php" class="btn btn-outline-primary btn-lg rounded-pill px-5">
+                <i class="bi bi-fire me-2"></i> Kitchen View
+            </a>
+            <?php endif; ?>
         </div>
     </div>
-</div>
+<?php endif; ?>
 
-<!-- Recent Orders Table -->
-<div class="card border-0 shadow-sm rounded-3">
-    <div class="card-header bg-white border-bottom py-3">
-        <h5 class="mb-0 fw-bold">Recent Orders</h5>
-    </div>
-    <div class="card-body p-0">
-        <div class="table-responsive">
-            <table class="table align-middle mb-0">
-                <thead class="bg-light">
-                    <tr>
-                        <th class="ps-4">ID</th>
-                        <th>Type</th>
-                        <th>Table/Customer</th>
-                        <th>Total</th>
-                        <th>Status</th>
-                        <th>Date</th>
-                    </tr>
-                </thead>
-                <tbody>
-                    <?php foreach ($recentOrders as $order): ?>
-                    <tr>
-                        <td class="ps-4 fw-medium">#<?= $order['id'] ?></td>
-                        <td>
-                            <?php 
-                                $badge = match($order['order_type']) {
-                                    'dine-in' => 'bg-info',
-                                    'takeaway' => 'bg-success',
-                                    'delivery' => 'bg-warning',
-                                    'drive-thru' => 'bg-purple',
-                                    default => 'bg-secondary'
-                                };
-                            ?>
-                            <span class="badge <?= $badge ?> text-dark bg-opacity-25 border border-<?= str_replace('bg-', '', $badge) ?>"><?= ucfirst($order['order_type']) ?></span>
-                        </td>
-                        <td>
-                            <?php if ($order['table_number']): ?>
-                                Table <?= htmlspecialchars($order['table_number']) ?>
-                            <?php else: ?>
-                                <?= htmlspecialchars($order['customer_name'] ?? 'Guest') ?>
-                            <?php endif; ?>
-                        </td>
-                        <td class="fw-bold"><?= format_currency($order['total_amount']) ?></td>
-                        <td>
-                            <span class="status-badge status-<?= $order['status'] ?> badge rounded-pill">
-                                <?= ucfirst($order['status']) ?>
-                            </span>
-                        </td>
-                        <td class="text-muted small"><?= date('M d, H:i', strtotime($order['created_at'])) ?></td>
-                    </tr>
-                    <?php endforeach; ?>
-                    <?php if (empty($recentOrders)): ?>
-                        <tr><td colspan="6" class="text-center py-4 text-muted">No recent orders found.</td></tr>
-                    <?php endif; ?>
-                </tbody>
-            </table>
-        </div>
-    </div>
-    <?php if (has_permission('orders_view')): ?>
-    <div class="card-footer bg-white text-center py-3">
-        <a href="orders.php" class="text-decoration-none fw-medium">View All Orders</a>
-    </div>
-    <?php endif; ?>
-</div>
-
-<?php include 'includes/footer.php'; ?>
+<?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/integrations.php b/admin/integrations.php
index 759cac9..d619343 100644
--- a/admin/integrations.php
+++ b/admin/integrations.php
@@ -9,6 +9,11 @@ $wablasTestResult = null;
 $message = '';
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (!has_permission('settings_add')) {
+        header("Location: integrations.php?error=permission_denied");
+        exit;
+    }
+    
     $provider = $_POST['provider'] ?? '';
     $action = $_POST['action'] ?? 'save';
     
@@ -103,6 +108,10 @@ require_once __DIR__ . '/includes/header.php';
         <h2 class="h3 mb-0 text-gray-800">Integrations</h2>
     </div>
 
+    <?php if (isset($_GET['error']) && $_GET['error'] == 'permission_denied'): ?>
+        <div class="alert alert-danger border-0 shadow-sm rounded-3">Access Denied: You do not have permission to perform this action.</div>
+    <?php endif; ?>
+
     <?php if (isset($_GET['msg']) && $_GET['msg'] == 'saved'): ?>
         <div class="alert alert-success alert-dismissible fade show" role="alert">
             Settings saved successfully.
@@ -129,20 +138,22 @@ require_once __DIR__ . '/includes/header.php';
                         <input type="hidden" name="provider" value="thawani">
                         <div class="mb-3">
                             <label class="form-label">Environment</label>
-                            <select class="form-select" name="environment">
+                            <select class="form-select" name="environment" <?= !has_permission('settings_add') ? 'disabled' : '' ?>>
                                 <option value="sandbox" <?= $thawaniEnv == 'sandbox' ? 'selected' : '' ?>>Sandbox</option>
                                 <option value="production" <?= $thawaniEnv == 'production' ? 'selected' : '' ?>>Production</option>
                             </select>
                         </div>
                         <div class="mb-3">
                             <label class="form-label">Public Key</label>
-                            <input type="text" class="form-control" name="public_key" value="<?= htmlspecialchars($thawaniPub) ?>">
+                            <input type="text" class="form-control" name="public_key" value="<?= htmlspecialchars($thawaniPub) ?>" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                         </div>
                         <div class="mb-3">
                             <label class="form-label">Secret Key</label>
-                            <input type="password" class="form-control" name="secret_key" value="<?= htmlspecialchars($thawaniSec) ?>">
+                            <input type="password" class="form-control" name="secret_key" value="<?= htmlspecialchars($thawaniSec) ?>" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                         </div>
+                        <?php if (has_permission('settings_add')): ?>
                         <button type="submit" name="action" value="save" class="btn btn-primary">Save Thawani Settings</button>
+                        <?php endif; ?>
                     </form>
                 </div>
             </div>
@@ -154,7 +165,7 @@ require_once __DIR__ . '/includes/header.php';
                 <div class="card-header py-3 d-flex flex-row align-items-center justify-content-between">
                     <h6 class="m-0 fw-bold text-success">Wablas WhatsApp</h6>
                     <div class="form-check form-switch">
-                        <input class="form-check-input" type="checkbox" name="is_enabled" id="is_enabled_switch" form="wablas_form" value="1" <?= $wablasEnabled === '1' ? 'checked' : '' ?>>
+                        <input class="form-check-input" type="checkbox" name="is_enabled" id="is_enabled_switch" form="wablas_form" value="1" <?= $wablasEnabled === '1' ? 'checked' : '' ?> <?= !has_permission('settings_add') ? 'disabled' : '' ?>>
                         <label class="form-check-label" for="is_enabled_switch">Enabled</label>
                     </div>
                 </div>
@@ -165,20 +176,20 @@ require_once __DIR__ . '/includes/header.php';
                         <!-- Also keep a hidden input to send '0' if checkbox is unchecked (handled in PHP POST block too) -->
                         <div class="mb-3">
                             <label class="form-label">Domain</label>
-                            <input type="text" class="form-control" name="domain" placeholder="https://..." value="<?= htmlspecialchars($wablasDom) ?>">
+                            <input type="text" class="form-control" name="domain" placeholder="https://..." value="<?= htmlspecialchars($wablasDom) ?>" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                         </div>
                         <div class="mb-3">
                             <label class="form-label">Token</label>
-                            <input type="password" class="form-control" name="token" value="<?= htmlspecialchars($wablasTok) ?>">
+                            <input type="password" class="form-control" name="token" value="<?= htmlspecialchars($wablasTok) ?>" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                         </div>
                         <div class="mb-3">
                             <label class="form-label">Secret Key</label>
-                            <input type="password" class="form-control" name="secret_key" value="<?= htmlspecialchars($wablasSecKey) ?>">
+                            <input type="password" class="form-control" name="secret_key" value="<?= htmlspecialchars($wablasSecKey) ?>" <?= !has_permission('settings_add') ? 'readonly' : '' ?>>
                         </div>
                         
                         <div class="mb-3">
                             <label class="form-label">Order Notification Template</label>
-                            <textarea class="form-control font-monospace" name="order_template" rows="8"><?= htmlspecialchars($wablasTemplate) ?></textarea>
+                            <textarea class="form-control font-monospace" name="order_template" rows="8" <?= !has_permission('settings_add') ? 'readonly' : '' ?>><?= htmlspecialchars($wablasTemplate) ?></textarea>
                             <div class="form-text mt-2">
                                 <strong>Available Variables:</strong><br>
                                 <code>{customer_name}</code>, <code>{company_name}</code>, <code>{order_id}</code>, 
@@ -187,6 +198,7 @@ require_once __DIR__ . '/includes/header.php';
                             </div>
                         </div>
 
+                        <?php if (has_permission('settings_add')): ?>
                         <div class="mb-3 border-top pt-3">
                             <label class="form-label text-muted small">Test Configuration</label>
                             <div class="input-group">
@@ -199,6 +211,7 @@ require_once __DIR__ . '/includes/header.php';
                         <div class="d-flex justify-content-end">
                             <button type="submit" name="action" value="save" class="btn btn-success">Save Settings</button>
                         </div>
+                        <?php endif; ?>
                     </form>
                 </div>
             </div>
@@ -206,4 +219,4 @@ require_once __DIR__ . '/includes/header.php';
     </div>
 </div>
 
-<?php require_once __DIR__ . '/includes/footer.php'; ?>
\ No newline at end of file
+<?php require_once __DIR__ . '/includes/header.php'; ?>
\ No newline at end of file
diff --git a/admin/loyalty.php b/admin/loyalty.php
index a3aa3fa..c76c313 100644
--- a/admin/loyalty.php
+++ b/admin/loyalty.php
@@ -4,16 +4,22 @@ require_permission("loyalty_view");
 require_once __DIR__ . '/../db/config.php';
 $pdo = db();
 
+$message = '';
+
 // Handle Settings Update
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['update_settings'])) {
-    $points_per_order = intval($_POST['points_per_order']);
-    $points_for_free_meal = intval($_POST['points_for_free_meal']);
-    $is_enabled = isset($_POST['is_enabled']) ? 1 : 0;
-    
-    $stmt = $pdo->prepare("UPDATE loyalty_settings SET points_per_order = ?, points_for_free_meal = ?, is_enabled = ? WHERE id = 1");
-    $stmt->execute([$points_per_order, $points_for_free_meal, $is_enabled]);
-    
-    $success_msg = "Loyalty settings updated successfully!";
+    if (!has_permission('loyalty_add')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to update loyalty settings.</div>';
+    } else {
+        $points_per_order = intval($_POST['points_per_order']);
+        $points_for_free_meal = intval($_POST['points_for_free_meal']);
+        $is_enabled = isset($_POST['is_enabled']) ? 1 : 0;
+        
+        $stmt = $pdo->prepare("UPDATE loyalty_settings SET points_per_order = ?, points_for_free_meal = ?, is_enabled = ? WHERE id = 1");
+        $stmt->execute([$points_per_order, $points_for_free_meal, $is_enabled]);
+        
+        $message = '<div class="alert alert-success">Loyalty settings updated successfully!</div>';
+    }
 }
 
 // Fetch Settings
@@ -50,17 +56,14 @@ include 'includes/header.php';
             <span class="badge bg-danger-subtle text-danger border border-danger-subtle px-3">Disabled</span>
         <?php endif; ?>
     </div>
+    <?php if (has_permission('loyalty_add')): ?>
     <button class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#settingsModal">
         <i class="bi bi-gear-fill me-2"></i> Configure Settings
     </button>
+    <?php endif; ?>
 </div>
 
-<?php if (isset($success_msg)): ?>
-    <div class="alert alert-success alert-dismissible fade show" role="alert">
-        <?= htmlspecialchars($success_msg) ?>
-        <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
-    </div>
-<?php endif; ?>
+<?= $message ?>
 
 <div class="row mb-4">
     <div class="col-md-6 col-lg-4">
@@ -167,6 +170,7 @@ include 'includes/header.php';
 </div>
 
 <!-- Settings Modal -->
+<?php if (has_permission('loyalty_add')): ?>
 <div class="modal fade" id="settingsModal" tabindex="-1">
     <div class="modal-dialog">
         <form method="POST" class="modal-content">
@@ -203,5 +207,6 @@ include 'includes/header.php';
         </form>
     </div>
 </div>
+<?php endif; ?>
 
 <?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/order_edit.php b/admin/order_edit.php
new file mode 100644
index 0000000..0c32d63
--- /dev/null
+++ b/admin/order_edit.php
@@ -0,0 +1,166 @@
+<?php
+declare(strict_types=1);
+require_once __DIR__ . '/../db/config.php';
+require_once __DIR__ . '/../includes/functions.php';
+
+$pdo = db();
+require_permission('orders_add');
+
+$id = isset($_GET['id']) ? (int)$_GET['id'] : 0;
+if (!$id) {
+    header("Location: orders.php");
+    exit;
+}
+
+$message = '';
+
+// Handle Form Submission
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $status = $_POST['status'];
+    $outlet_id = (int)$_POST['outlet_id'];
+    $customer_id = !empty($_POST['customer_id']) ? (int)$_POST['customer_id'] : null;
+    $order_type = $_POST['order_type'];
+    $table_number = $_POST['table_number'];
+    $notes = $_POST['notes'];
+
+    $stmt = $pdo->prepare("UPDATE orders SET 
+        status = ?, 
+        outlet_id = ?, 
+        customer_id = ?, 
+        order_type = ?, 
+        table_number = ?, 
+        notes = ?,
+        updated_at = CURRENT_TIMESTAMP 
+        WHERE id = ?");
+    
+    if ($stmt->execute([$status, $outlet_id, $customer_id, $order_type, $table_number, $notes, $id])) {
+        $message = '<div class="alert alert-success border-0 shadow-sm rounded-3"><i class="bi bi-check-circle-fill me-2"></i>Order updated successfully!</div>';
+        // Redirect back after short delay or via header
+        header("Refresh: 2; url=order_view.php?id=$id");
+    } else {
+        $message = '<div class="alert alert-danger border-0 shadow-sm rounded-3"><i class="bi bi-exclamation-triangle-fill me-2"></i>Error updating order.</div>';
+    }
+}
+
+// Fetch Order Details
+$stmt = $pdo->prepare("SELECT * FROM orders WHERE id = ?");
+$stmt->execute([$id]);
+$order = $stmt->fetch(PDO::FETCH_ASSOC);
+
+if (!$order) {
+    die("Order not found.");
+}
+
+// Fetch Outlets
+$outlets = $pdo->query("SELECT id, name FROM outlets ORDER BY name")->fetchAll(PDO::FETCH_ASSOC);
+
+// Fetch Customers
+$customers = $pdo->query("SELECT id, name FROM customers ORDER BY name")->fetchAll(PDO::FETCH_ASSOC);
+
+include 'includes/header.php';
+?>
+
+<div class="d-flex justify-content-between align-items-center mb-4">
+    <h2 class="fw-bold mb-0">Edit Order #<?= $order['id'] ?></h2>
+    <div class="d-flex gap-2">
+        <a href="order_view.php?id=<?= $id ?>" class="btn btn-outline-secondary">
+            <i class="bi bi-arrow-left"></i> Cancel
+        </a>
+        <a href="orders.php" class="btn btn-light border">
+            <i class="bi bi-list"></i> Back to List
+        </a>
+    </div>
+</div>
+
+<?= $message ?>
+
+<div class="row">
+    <div class="col-md-8">
+        <div class="card border-0 shadow-sm">
+            <div class="card-body">
+                <form method="POST">
+                    <div class="row g-3 mb-4">
+                        <div class="col-md-6">
+                            <label class="form-label small fw-bold text-muted text-uppercase">Order Status</label>
+                            <select name="status" class="form-select form-select-lg" required>
+                                <option value="pending" <?= $order['status'] === 'pending' ? 'selected' : '' ?>>Pending</option>
+                                <option value="preparing" <?= $order['status'] === 'preparing' ? 'selected' : '' ?>>Preparing</option>
+                                <option value="ready" <?= $order['status'] === 'ready' ? 'selected' : '' ?>>Ready</option>
+                                <option value="completed" <?= $order['status'] === 'completed' ? 'selected' : '' ?>>Completed</option>
+                                <option value="cancelled" <?= $order['status'] === 'cancelled' ? 'selected' : '' ?>>Cancelled</option>
+                            </select>
+                        </div>
+                        <div class="col-md-6">
+                            <label class="form-label small fw-bold text-muted text-uppercase">Outlet</label>
+                            <select name="outlet_id" class="form-select form-select-lg" required>
+                                <?php foreach ($outlets as $outlet): ?>
+                                    <option value="<?= $outlet['id'] ?>" <?= $order['outlet_id'] == $outlet['id'] ? 'selected' : '' ?>>
+                                        <?= htmlspecialchars($outlet['name']) ?>
+                                    </option>
+                                <?php endforeach; ?>
+                            </select>
+                        </div>
+                    </div>
+
+                    <div class="row g-3 mb-4">
+                        <div class="col-md-6">
+                            <label class="form-label small fw-bold text-muted text-uppercase">Order Type</label>
+                            <select name="order_type" class="form-select" required>
+                                <option value="dine-in" <?= $order['order_type'] === 'dine-in' ? 'selected' : '' ?>>Dine-In</option>
+                                <option value="takeaway" <?= $order['order_type'] === 'takeaway' ? 'selected' : '' ?>>Takeaway</option>
+                                <option value="delivery" <?= $order['order_type'] === 'delivery' ? 'selected' : '' ?>>Delivery</option>
+                                <option value="drive-thru" <?= $order['order_type'] === 'drive-thru' ? 'selected' : '' ?>>Drive-Thru</option>
+                            </select>
+                        </div>
+                        <div class="col-md-6">
+                            <label class="form-label small fw-bold text-muted text-uppercase">Table Number</label>
+                            <input type="text" name="table_number" class="form-control" value="<?= htmlspecialchars((string)($order['table_number'] ?? '')) ?>" placeholder="e.g. 5">
+                        </div>
+                    </div>
+
+                    <div class="mb-4">
+                        <label class="form-label small fw-bold text-muted text-uppercase">Customer</label>
+                        <select name="customer_id" class="form-select">
+                            <option value="">Guest (None)</option>
+                            <?php foreach ($customers as $customer): ?>
+                                <option value="<?= $customer['id'] ?>" <?= $order['customer_id'] == $customer['id'] ? 'selected' : '' ?>>
+                                    <?= htmlspecialchars($customer['name']) ?>
+                                </option>
+                            <?php endforeach; ?>
+                        </select>
+                    </div>
+
+                    <div class="mb-4">
+                        <label class="form-label small fw-bold text-muted text-uppercase">Order Notes</label>
+                        <textarea name="notes" class="form-control" rows="4" placeholder="Add any special instructions or notes..."><?= htmlspecialchars((string)($order['notes'] ?? '')) ?></textarea>
+                    </div>
+
+                    <div class="d-flex justify-content-end gap-2 border-top pt-4 mt-4">
+                        <a href="order_view.php?id=<?= $id ?>" class="btn btn-light rounded-pill px-4">Discard Changes</a>
+                        <button type="submit" class="btn btn-primary rounded-pill px-4">Update Order Details</button>
+                    </div>
+                </form>
+            </div>
+        </div>
+    </div>
+    <div class="col-md-4">
+        <div class="card border-0 shadow-sm bg-light">
+            <div class="card-body">
+                <h6 class="fw-bold mb-3"><i class="bi bi-info-circle me-2"></i>Editing Order Information</h6>
+                <p class="small text-muted mb-3">Updating the status here will immediately reflect across all systems (Kitchen, POS, Admin).</p>
+                <div class="alert alert-warning border-0 small py-2 px-3">
+                    <i class="bi bi-exclamation-triangle-fill me-1"></i> Changes to items should be handled via the POS system or directly in the database.
+                </div>
+                <div class="mt-4 pt-4 border-top">
+                    <p class="small text-muted mb-1 text-uppercase fw-bold">Order Created</p>
+                    <p class="mb-3"><?= date('M d, Y H:i:s', strtotime($order['created_at'])) ?></p>
+                    
+                    <p class="small text-muted mb-1 text-uppercase fw-bold">Last Updated</p>
+                    <p class="mb-0"><?= $order['updated_at'] ? date('M d, Y H:i:s', strtotime($order['updated_at'])) : 'Never' ?></p>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+<?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/order_view.php b/admin/order_view.php
new file mode 100644
index 0000000..d53a8a0
--- /dev/null
+++ b/admin/order_view.php
@@ -0,0 +1,225 @@
+<?php
+declare(strict_types=1);
+require_once __DIR__ . '/../db/config.php';
+require_once __DIR__ . '/../includes/functions.php';
+
+$pdo = db();
+require_permission('orders_view');
+
+$id = isset($_GET['id']) ? (int)$_GET['id'] : 0;
+if (!$id) {
+    header("Location: orders.php");
+    exit;
+}
+
+// Fetch Order Details
+$stmt = $pdo->prepare("SELECT o.*, ot.name as outlet_name, pt.name as payment_type_name,
+    c.name as customer_name, c.phone as customer_phone, c.email as customer_email,
+    u.username as created_by_username
+    FROM orders o 
+    LEFT JOIN outlets ot ON o.outlet_id = ot.id
+    LEFT JOIN payment_types pt ON o.payment_type_id = pt.id
+    LEFT JOIN customers c ON o.customer_id = c.id
+    LEFT JOIN users u ON o.user_id = u.id
+    WHERE o.id = ?");
+$stmt->execute([$id]);
+$order = $stmt->fetch(PDO::FETCH_ASSOC);
+
+if (!$order) {
+    die("Order not found.");
+}
+
+// Fetch Order Items
+$stmt = $pdo->prepare("SELECT oi.*, p.name as product_name, pv.name as variant_name 
+    FROM order_items oi 
+    JOIN products p ON oi.product_id = p.id 
+    LEFT JOIN product_variants pv ON oi.variant_id = pv.id 
+    WHERE oi.order_id = ?");
+$stmt->execute([$id]);
+$items = $stmt->fetchAll(PDO::FETCH_ASSOC);
+
+include 'includes/header.php';
+
+// Calculate subtotal from items to be sure
+$subtotal = 0;
+foreach ($items as $item) {
+    $subtotal += $item['unit_price'] * $item['quantity'];
+}
+?>
+
+<div class="d-flex justify-content-between align-items-center mb-4">
+    <div>
+        <h2 class="fw-bold mb-0">Order #<?= $order['id'] ?></h2>
+        <p class="text-muted mb-0">Placed on <?= date('M d, Y H:i', strtotime($order['created_at'])) ?></p>
+    </div>
+    <div class="d-flex gap-2">
+        <a href="orders.php" class="btn btn-outline-secondary">
+            <i class="bi bi-arrow-left"></i> Back to List
+        </a>
+        <button onclick="window.print()" class="btn btn-light border">
+            <i class="bi bi-printer"></i> Print Receipt
+        </button>
+        <?php if (has_permission('orders_add')): ?>
+        <a href="order_edit.php?id=<?= $order['id'] ?>" class="btn btn-primary">
+            <i class="bi bi-pencil"></i> Edit Order
+        </a>
+        <?php endif; ?>
+    </div>
+</div>
+
+<div class="row">
+    <div class="col-md-8">
+        <!-- Order Items -->
+        <div class="card border-0 shadow-sm mb-4">
+            <div class="card-header bg-white py-3">
+                <h5 class="card-title mb-0 fw-bold">Order Items</h5>
+            </div>
+            <div class="card-body p-0">
+                <div class="table-responsive">
+                    <table class="table align-middle mb-0">
+                        <thead class="bg-light text-muted small text-uppercase">
+                            <tr>
+                                <th class="ps-4">Product</th>
+                                <th class="text-center">Price</th>
+                                <th class="text-center">Qty</th>
+                                <th class="text-end pe-4">Total</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            <?php foreach ($items as $item): ?>
+                            <tr>
+                                <td class="ps-4">
+                                    <div class="fw-bold text-dark"><?= htmlspecialchars($item['product_name']) ?></div>
+                                    <?php if ($item['variant_name']): ?>
+                                        <small class="text-muted">Variant: <?= htmlspecialchars($item['variant_name']) ?></small>
+                                    <?php endif; ?>
+                                </td>
+                                <td class="text-center"><?= format_currency($item['unit_price']) ?></td>
+                                <td class="text-center"><?= $item['quantity'] ?></td>
+                                <td class="text-end pe-4 fw-bold"><?= format_currency($item['unit_price'] * $item['quantity']) ?></td>
+                            </tr>
+                            <?php endforeach; ?>
+                        </tbody>
+                        <tfoot class="bg-light">
+                            <tr>
+                                <td colspan="3" class="text-end py-3 ps-4">
+                                    <div class="text-muted mb-1">Subtotal</div>
+                                    <?php if ($order['discount'] > 0): ?>
+                                        <div class="text-muted mb-1">Discount</div>
+                                    <?php endif; ?>
+                                    <div class="text-muted mb-1">VAT / Tax</div>
+                                    <h5 class="fw-bold mb-0 text-dark">Total Amount</h5>
+                                </td>
+                                <td class="text-end py-3 pe-4">
+                                    <div class="mb-1"><?= format_currency($subtotal) ?></div>
+                                    <?php if ($order['discount'] > 0): ?>
+                                        <div class="mb-1 text-danger">-<?= format_currency($order['discount']) ?></div>
+                                    <?php endif; ?>
+                                    <div class="mb-1"><?= format_currency(0) ?></div>
+                                    <h5 class="fw-bold mb-0 text-primary"><?= format_currency($order['total_amount']) ?></h5>
+                                </td>
+                            </tr>
+                        </tfoot>
+                    </table>
+                </div>
+            </div>
+        </div>
+
+        <!-- Additional Info -->
+        <div class="card border-0 shadow-sm">
+            <div class="card-body">
+                <h5 class="fw-bold mb-3">Internal Notes</h5>
+                <p class="text-muted"><?= htmlspecialchars($order['notes'] ?? 'No notes provided for this order.') ?></p>
+            </div>
+        </div>
+    </div>
+    
+    <div class="col-md-4">
+        <!-- Status & Payment -->
+        <div class="card border-0 shadow-sm mb-4">
+            <div class="card-body">
+                <h6 class="text-muted small text-uppercase fw-bold mb-3">Order Status</h6>
+                <div class="d-flex align-items-center mb-4">
+                    <span class="badge rounded-pill fs-6 px-3 py-2 status-<?= $order['status'] ?>">
+                        <?= ucfirst($order['status']) ?>
+                    </span>
+                    <span class="ms-3 text-muted small">Last updated: <?= date('M d, H:i', strtotime($order['updated_at'] ?? $order['created_at'])) ?></span>
+                </div>
+
+                <hr>
+
+                <h6 class="text-muted small text-uppercase fw-bold mb-3 mt-4">Payment Information</h6>
+                <div class="d-flex justify-content-between mb-2">
+                    <span class="text-muted">Method:</span>
+                    <span class="fw-bold text-dark"><?= htmlspecialchars($order['payment_type_name'] ?? 'Unpaid') ?></span>
+                </div>
+                <div class="d-flex justify-content-between">
+                    <span class="text-muted">Status:</span>
+                    <span class="badge bg-success bg-opacity-10 text-success border border-success">Paid</span>
+                </div>
+            </div>
+        </div>
+
+        <!-- Order Details -->
+        <div class="card border-0 shadow-sm mb-4">
+            <div class="card-body">
+                <h6 class="text-muted small text-uppercase fw-bold mb-3">Order Details</h6>
+                <div class="mb-3">
+                    <label class="text-muted small d-block">Outlet</label>
+                    <div class="fw-bold"><?= htmlspecialchars($order['outlet_name'] ?? 'N/A') ?></div>
+                </div>
+                <div class="mb-3">
+                    <label class="text-muted small d-block">Order Type</label>
+                    <div class="fw-bold"><?= ucfirst($order['order_type']) ?></div>
+                </div>
+                <?php if ($order['order_type'] === 'dine-in'): ?>
+                <div class="mb-3">
+                    <label class="text-muted small d-block">Table Number</label>
+                    <div class="fw-bold">Table <?= htmlspecialchars((string)$order['table_number']) ?></div>
+                </div>
+                <?php endif; ?>
+                <div class="mb-0">
+                    <label class="text-muted small d-block">Processed By</label>
+                    <div class="fw-bold"><?= htmlspecialchars($order['created_by_username'] ?? 'System') ?></div>
+                </div>
+            </div>
+        </div>
+
+        <!-- Customer Info -->
+        <div class="card border-0 shadow-sm">
+            <div class="card-body">
+                <h6 class="text-muted small text-uppercase fw-bold mb-3">Customer Information</h6>
+                <?php if ($order['customer_name']): ?>
+                    <div class="d-flex align-items-center mb-3">
+                        <div class="bg-primary bg-opacity-10 text-primary p-2 rounded-circle me-3">
+                            <i class="bi bi-person fs-4"></i>
+                        </div>
+                        <div>
+                            <div class="fw-bold"><?= htmlspecialchars($order['customer_name']) ?></div>
+                            <small class="text-muted">Customer ID: #<?= $order['customer_id'] ?></small>
+                        </div>
+                    </div>
+                    <?php if ($order['customer_phone']): ?>
+                    <div class="mb-2">
+                        <i class="bi bi-telephone text-muted me-2"></i>
+                        <a href="tel:<?= $order['customer_phone'] ?>" class="text-decoration-none text-dark"><?= htmlspecialchars($order['customer_phone'] ?? '') ?></a>
+                    </div>
+                    <?php endif; ?>
+                    <?php if ($order['customer_email']): ?>
+                    <div class="mb-0">
+                        <i class="bi bi-envelope text-muted me-2"></i>
+                        <a href="mailto:<?= $order['customer_email'] ?>" class="text-decoration-none text-dark"><?= htmlspecialchars($order['customer_email'] ?? '') ?></a>
+                    </div>
+                    <?php endif; ?>
+                <?php else: ?>
+                    <div class="text-center py-3">
+                        <i class="bi bi-person-x fs-1 text-muted opacity-25"></i>
+                        <p class="text-muted small mb-0 mt-2">No customer attached to this order (Guest)</p>
+                    </div>
+                <?php endif; ?>
+            </div>
+        </div>
+    </div>
+</div>
+
+<?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/orders.php b/admin/orders.php
index e96422f..5a42bd9 100644
--- a/admin/orders.php
+++ b/admin/orders.php
@@ -33,6 +33,26 @@ if (isset($_POST['action']) && $_POST['action'] === 'stop_promotions') {
     exit;
 }
 
+// Handle Delete Order
+if (isset($_GET['delete'])) {
+    if (!has_permission('manage_orders')) {
+        header("Location: orders.php?error=permission_denied");
+        exit;
+    }
+    $id = (int)$_GET['delete'];
+    $pdo->beginTransaction();
+    try {
+        $pdo->prepare("DELETE FROM order_items WHERE order_id = ?")->execute([$id]);
+        $pdo->prepare("DELETE FROM orders WHERE id = ?")->execute([$id]);
+        $pdo->commit();
+        header("Location: orders.php?success=order_deleted");
+    } catch (Exception $e) {
+        $pdo->rollBack();
+        header("Location: orders.php?error=delete_failed");
+    }
+    exit;
+}
+
 // Fetch Outlets for Filter
 $outlets = $pdo->query("SELECT id, name FROM outlets ORDER BY name")->fetchAll(PDO::FETCH_ASSOC);
 
@@ -107,14 +127,24 @@ include 'includes/header.php';
     </div>
 </div>
 
-<?php if (isset($_GET['error']) && $_GET['error'] === 'permission_denied'): ?>
-<div class="alert alert-danger border-0 shadow-sm rounded-3">Access Denied: You do not have permission to perform this action.</div>
+<?php if (isset($_GET['error'])): ?>
+    <?php if ($_GET['error'] === 'permission_denied'): ?>
+    <div class="alert alert-danger border-0 shadow-sm rounded-3">Access Denied: You do not have permission to perform this action.</div>
+    <?php elseif ($_GET['error'] === 'delete_failed'): ?>
+    <div class="alert alert-danger border-0 shadow-sm rounded-3">Error: Failed to delete order.</div>
+    <?php endif; ?>
 <?php endif; ?>
 
-<?php if (isset($_GET['success']) && $_GET['success'] === 'promotions_stopped'): ?>
-<div class="alert alert-success border-0 shadow-sm rounded-3">
-    <i class="bi bi-check-circle-fill me-2"></i> All running promotions have been stopped successfully.
-</div>
+<?php if (isset($_GET['success'])): ?>
+    <?php if ($_GET['success'] === 'promotions_stopped'): ?>
+    <div class="alert alert-success border-0 shadow-sm rounded-3">
+        <i class="bi bi-check-circle-fill me-2"></i> All running promotions have been stopped successfully.
+    </div>
+    <?php elseif ($_GET['success'] === 'order_deleted'): ?>
+    <div class="alert alert-success border-0 shadow-sm rounded-3">
+        <i class="bi bi-check-circle-fill me-2"></i> Order has been deleted successfully.
+    </div>
+    <?php endif; ?>
 <?php endif; ?>
 
 <!-- Summary Stats -->
@@ -231,7 +261,7 @@ include 'includes/header.php';
                         <th>Payment</th>
                         <th>Status</th>
                         <th>Time</th>
-                        <th>Action</th>
+                        <th class="text-end pe-4">Actions</th>
                     </tr>
                 </thead>
                 <tbody>
@@ -299,34 +329,50 @@ include 'includes/header.php';
                                 <div><?= date('M d', strtotime($order['created_at'])) ?></div>
                                 <div><?= date('H:i', strtotime($order['created_at'])) ?></div>
                             </td>
-                            <td>
-                                <?php if (has_permission('orders_add')): ?>
-                                <form method="POST" class="d-flex gap-2">
-                                    <input type="hidden" name="order_id" value="<?= $order['id'] ?>">
-                                    <input type="hidden" name="action" value="update_status">
-                                    
-                                    <?php if ($order['status'] === 'pending'): ?>
-                                        <button type="submit" name="status" value="preparing" class="btn btn-sm btn-primary">
-                                            <i class="bi bi-play-fill"></i> Start
-                                        </button>
-                                        <button type="submit" name="status" value="cancelled" class="btn btn-sm btn-outline-danger">
-                                            <i class="bi bi-x"></i>
-                                        </button>
-                                    <?php elseif ($order['status'] === 'preparing'): ?>
-                                        <button type="submit" name="status" value="ready" class="btn btn-sm btn-warning text-dark">
-                                            <i class="bi bi-check-circle"></i> Ready
-                                        </button>
-                                    <?php elseif ($order['status'] === 'ready'): ?>
-                                        <button type="submit" name="status" value="completed" class="btn btn-sm btn-success">
-                                            <i class="bi bi-check-all"></i> Complete
-                                        </button>
-                                    <?php else: ?>
-                                        <span class="text-muted small">-</span>
+                            <td class="text-end pe-4">
+                                <div class="d-flex gap-2 justify-content-end align-items-center">
+                                    <!-- Status Workflow Buttons -->
+                                    <?php if (has_permission('orders_add')): ?>
+                                    <form method="POST" class="d-flex gap-1 me-2 border-end pe-2">
+                                        <input type="hidden" name="order_id" value="<?= $order['id'] ?>">
+                                        <input type="hidden" name="action" value="update_status">
+                                        
+                                        <?php if ($order['status'] === 'pending'): ?>
+                                            <button type="submit" name="status" value="preparing" class="btn btn-sm btn-primary py-0 px-1" title="Start Preparing">
+                                                <i class="bi bi-play-fill"></i>
+                                            </button>
+                                            <button type="submit" name="status" value="cancelled" class="btn btn-sm btn-outline-danger py-0 px-1" title="Cancel Order">
+                                                <i class="bi bi-x"></i>
+                                            </button>
+                                        <?php elseif ($order['status'] === 'preparing'): ?>
+                                            <button type="submit" name="status" value="ready" class="btn btn-sm btn-warning text-dark py-0 px-1" title="Mark Ready">
+                                                <i class="bi bi-check-circle"></i>
+                                            </button>
+                                        <?php elseif ($order['status'] === 'ready'): ?>
+                                            <button type="submit" name="status" value="completed" class="btn btn-sm btn-success py-0 px-1" title="Complete Order">
+                                                <i class="bi bi-check-all"></i>
+                                            </button>
+                                        <?php endif; ?>
+                                    </form>
                                     <?php endif; ?>
-                                </form>
-                                <?php else: ?>
-                                    <span class="text-muted small">View Only</span>
-                                <?php endif; ?>
+
+                                    <!-- Standard Actions -->
+                                    <a href="order_view.php?id=<?= $order['id'] ?>" class="btn-icon-soft" title="View Order">
+                                        <i class="bi bi-eye-fill"></i>
+                                    </a>
+                                    
+                                    <?php if (has_permission('orders_add')): ?>
+                                    <a href="order_edit.php?id=<?= $order['id'] ?>" class="btn-icon-soft edit" title="Edit Order">
+                                        <i class="bi bi-pencil-fill"></i>
+                                    </a>
+                                    <?php endif; ?>
+                                    
+                                    <?php if (has_permission('manage_orders')): ?>
+                                    <a href="?delete=<?= $order['id'] ?>" class="btn-icon-soft delete" onclick="return confirm('Are you sure you want to delete this order? This action cannot be undone.')" title="Delete Order">
+                                        <i class="bi bi-trash-fill"></i>
+                                    </a>
+                                    <?php endif; ?>
+                                </div>
                             </td>
                         </tr>
                     <?php endforeach; ?>
diff --git a/admin/outlets.php b/admin/outlets.php
index f6cec63..65f2f24 100644
--- a/admin/outlets.php
+++ b/admin/outlets.php
@@ -4,17 +4,27 @@ require_permission("outlets_view");
 require_once __DIR__ . '/../db/config.php';
 $pdo = db();
 
-if (isset($_POST['action']) && $_POST['action'] === 'add_outlet') {
-    $stmt = $pdo->prepare("INSERT INTO outlets (name, address) VALUES (?, ?)");
-    $stmt->execute([$_POST['name'], $_POST['address']]);
-    header("Location: outlets.php");
-    exit;
+$message = '';
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'add_outlet') {
+    if (!has_permission('outlets_add')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to add outlets.</div>';
+    } else {
+        $stmt = $pdo->prepare("INSERT INTO outlets (name, address) VALUES (?, ?)");
+        $stmt->execute([$_POST['name'], $_POST['address']]);
+        header("Location: outlets.php");
+        exit;
+    }
 }
 
 if (isset($_GET['delete'])) {
-    $pdo->prepare("DELETE FROM outlets WHERE id = ?")->execute([$_GET['delete']]);
-    header("Location: outlets.php");
-    exit;
+    if (!has_permission('outlets_del')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to delete outlets.</div>';
+    } else {
+        $pdo->prepare("DELETE FROM outlets WHERE id = ?")->execute([$_GET['delete']]);
+        header("Location: outlets.php");
+        exit;
+    }
 }
 
 $query = "SELECT * FROM outlets ORDER BY id DESC";
@@ -26,11 +36,15 @@ include 'includes/header.php';
 
 <div class="d-flex justify-content-between align-items-center mb-4">
     <h2 class="fw-bold mb-0">Outlets</h2>
+    <?php if (has_permission('outlets_add')): ?>
     <button class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#addOutletModal">
         <i class="bi bi-plus-lg"></i> Add Outlet
     </button>
+    <?php endif; ?>
 </div>
 
+<?= $message ?>
+
 <div class="card border-0 shadow-sm">
     <div class="card-body p-0">
         <!-- Pagination Controls -->
@@ -54,8 +68,13 @@ include 'includes/header.php';
                         <td class="fw-bold"><?= htmlspecialchars($outlet['name']) ?></td>
                         <td><small class="text-muted"><?= htmlspecialchars($outlet['address']) ?></small></td>
                         <td>
+                            <?php if (has_permission('outlets_add')): ?>
                             <a href="outlet_edit.php?id=<?= $outlet['id'] ?>" class="btn btn-sm btn-outline-secondary me-1"><i class="bi bi-pencil"></i></a>
+                            <?php endif; ?>
+                            
+                            <?php if (has_permission('outlets_del')): ?>
                             <a href="?delete=<?= $outlet['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Delete this outlet?')"><i class="bi bi-trash"></i></a>
+                            <?php endif; ?>
                         </td>
                     </tr>
                     <?php endforeach; ?>
@@ -70,6 +89,7 @@ include 'includes/header.php';
 </div>
 
 <!-- Add Outlet Modal -->
+<?php if (has_permission('outlets_add')): ?>
 <div class="modal fade" id="addOutletModal" tabindex="-1">
     <div class="modal-dialog">
         <div class="modal-content">
@@ -97,5 +117,6 @@ include 'includes/header.php';
         </div>
     </div>
 </div>
+<?php endif; ?>
 
 <?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/payment_types.php b/admin/payment_types.php
index 8cb83e5..8ac79ab 100644
--- a/admin/payment_types.php
+++ b/admin/payment_types.php
@@ -4,12 +4,18 @@ require_permission("payment_types_view");
 require_once __DIR__ . '/../db/config.php';
 $pdo = db();
 
+$message = '';
+
 // Handle Delete
 if (isset($_GET['delete_id'])) {
-    $stmt = $pdo->prepare("DELETE FROM payment_types WHERE id = ?");
-    $stmt->execute([$_GET['delete_id']]);
-    header("Location: payment_types.php?msg=deleted");
-    exit;
+    if (!has_permission('payment_types_del')) {
+        $message = '<div class="alert alert-danger border-0 shadow-sm rounded-3">Access Denied: You do not have permission to delete payment types.</div>';
+    } else {
+        $stmt = $pdo->prepare("DELETE FROM payment_types WHERE id = ?");
+        $stmt->execute([$_GET['delete_id']]);
+        header("Location: payment_types.php?msg=deleted");
+        exit;
+    }
 }
 
 // Fetch Payment Types
@@ -22,11 +28,15 @@ require_once __DIR__ . '/includes/header.php';
 <div class="container-fluid">
     <div class="d-flex justify-content-between align-items-center mb-4">
         <h2 class="h3 mb-0 text-gray-800">Payment Types</h2>
+        <?php if (has_permission('payment_types_add')): ?>
         <a href="payment_type_edit.php" class="btn btn-primary">
             <i class="bi bi-plus-lg me-2"></i>Add Payment Type
         </a>
+        <?php endif; ?>
     </div>
 
+    <?= $message ?>
+
     <?php if (isset($_GET['msg']) && $_GET['msg'] == 'deleted'): ?>
         <div class="alert alert-success alert-dismissible fade show" role="alert">
             Payment Type deleted successfully.
@@ -68,14 +78,19 @@ require_once __DIR__ . '/includes/header.php';
                                         <?php endif; ?>
                                     </td>
                                     <td class="text-end">
+                                        <?php if (has_permission('payment_types_add')): ?>
                                         <a href="payment_type_edit.php?id=<?= $pt['id'] ?>" class="btn btn-sm btn-outline-primary me-1">
                                             <i class="bi bi-pencil"></i>
                                         </a>
+                                        <?php endif; ?>
+                                        
+                                        <?php if (has_permission('payment_types_del')): ?>
                                         <a href="payment_types.php?delete_id=<?= $pt['id'] ?>" 
                                            class="btn btn-sm btn-outline-danger"
                                            onclick="return confirm('Are you sure you want to delete this payment type?');">
                                             <i class="bi bi-trash"></i>
                                         </a>
+                                        <?php endif; ?>
                                     </td>
                                 </tr>
                             <?php endforeach; ?>
diff --git a/admin/suppliers.php b/admin/suppliers.php
index cb882b3..6e703fe 100644
--- a/admin/suppliers.php
+++ b/admin/suppliers.php
@@ -8,27 +8,35 @@ $message = '';
 
 // Handle Add Supplier
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'add_supplier') {
-    $name = $_POST['name'];
-    $contact_person = $_POST['contact_person'];
-    $email = $_POST['email'];
-    $phone = $_POST['phone'];
-    $address = $_POST['address'];
-    $vat_no = $_POST['vat_no'];
-
-    $stmt = $pdo->prepare("INSERT INTO suppliers (name, contact_person, email, phone, address, vat_no) VALUES (?, ?, ?, ?, ?, ?)");
-    if ($stmt->execute([$name, $contact_person, $email, $phone, $address, $vat_no])) {
-        $message = '<div class="alert alert-success">Supplier added successfully!</div>';
+    if (!has_permission('suppliers_add')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to add suppliers.</div>';
     } else {
-        $message = '<div class="alert alert-danger">Error adding supplier.</div>';
+        $name = $_POST['name'];
+        $contact_person = $_POST['contact_person'];
+        $email = $_POST['email'];
+        $phone = $_POST['phone'];
+        $address = $_POST['address'];
+        $vat_no = $_POST['vat_no'];
+
+        $stmt = $pdo->prepare("INSERT INTO suppliers (name, contact_person, email, phone, address, vat_no) VALUES (?, ?, ?, ?, ?, ?)");
+        if ($stmt->execute([$name, $contact_person, $email, $phone, $address, $vat_no])) {
+            $message = '<div class="alert alert-success">Supplier added successfully!</div>';
+        } else {
+            $message = '<div class="alert alert-danger">Error adding supplier.</div>';
+        }
     }
 }
 
 // Handle Delete
 if (isset($_GET['delete'])) {
-    $id = $_GET['delete'];
-    $pdo->prepare("DELETE FROM suppliers WHERE id = ?")->execute([$id]);
-    header("Location: suppliers.php");
-    exit;
+    if (!has_permission('suppliers_del')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to delete suppliers.</div>';
+    } else {
+        $id = $_GET['delete'];
+        $pdo->prepare("DELETE FROM suppliers WHERE id = ?")->execute([$id]);
+        header("Location: suppliers.php");
+        exit;
+    }
 }
 
 // Fetch Suppliers
@@ -41,9 +49,11 @@ include 'includes/header.php';
 
 <div class="d-flex justify-content-between align-items-center mb-4">
     <h2 class="fw-bold mb-0">Suppliers</h2>
+    <?php if (has_permission('suppliers_add')): ?>
     <button class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#addSupplierModal">
         <i class="bi bi-plus-lg"></i> Add Supplier
     </button>
+    <?php endif; ?>
 </div>
 
 <?= $message ?>
@@ -77,8 +87,13 @@ include 'includes/header.php';
                         <td><span class="badge bg-light text-dark border"><?= htmlspecialchars($supplier['vat_no']) ?></span></td>
                         <td>
                             <div class="btn-group">
+                                <?php if (has_permission('suppliers_add')): ?>
                                 <a href="supplier_edit.php?id=<?= $supplier['id'] ?>" class="btn btn-sm btn-outline-primary" title="Edit Supplier"><i class="bi bi-pencil"></i></a>
+                                <?php endif; ?>
+                                
+                                <?php if (has_permission('suppliers_del')): ?>
                                 <a href="?delete=<?= $supplier['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Are you sure?')" title="Delete"><i class="bi bi-trash"></i></a>
+                                <?php endif; ?>
                             </div>
                         </td>
                     </tr>
@@ -99,6 +114,7 @@ include 'includes/header.php';
 </div>
 
 <!-- Add Supplier Modal -->
+<?php if (has_permission('suppliers_add')): ?>
 <div class="modal fade" id="addSupplierModal" tabindex="-1">
     <div class="modal-dialog">
         <div class="modal-content">
@@ -144,5 +160,6 @@ include 'includes/header.php';
         </div>
     </div>
 </div>
+<?php endif; ?>
 
 <?php include 'includes/footer.php'; ?>
\ No newline at end of file
diff --git a/admin/tables.php b/admin/tables.php
index 0d59f15..0200a9a 100644
--- a/admin/tables.php
+++ b/admin/tables.php
@@ -4,17 +4,27 @@ require_permission("tables_view");
 require_once __DIR__ . '/../db/config.php';
 $pdo = db();
 
+$message = '';
+
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'add_table') {
-    $stmt = $pdo->prepare("INSERT INTO tables (area_id, name, capacity) VALUES (?, ?, ?)");
-    $stmt->execute([$_POST['area_id'], $_POST['name'], $_POST['capacity']]);
-    header("Location: tables.php");
-    exit;
+    if (!has_permission('tables_add')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to add tables.</div>';
+    } else {
+        $stmt = $pdo->prepare("INSERT INTO tables (area_id, name, capacity) VALUES (?, ?, ?)");
+        $stmt->execute([$_POST['area_id'], $_POST['name'], $_POST['capacity']]);
+        header("Location: tables.php");
+        exit;
+    }
 }
 
 if (isset($_GET['delete'])) {
-    $pdo->prepare("DELETE FROM tables WHERE id = ?")->execute([$_GET['delete']]);
-    header("Location: tables.php");
-    exit;
+    if (!has_permission('tables_del')) {
+        $message = '<div class="alert alert-danger">Access Denied: You do not have permission to delete tables.</div>';
+    } else {
+        $pdo->prepare("DELETE FROM tables WHERE id = ?")->execute([$_GET['delete']]);
+        header("Location: tables.php");
+        exit;
+    }
 }
 
 // Fetch tables with area and outlet names
@@ -47,11 +57,15 @@ $baseUrl = $protocol . $host . ($dir === '/' ? '' : $dir) . '/qorder.php';
 
 <div class="d-flex justify-content-between align-items-center mb-4">
     <h2 class="fw-bold mb-0">Tables</h2>
+    <?php if (has_permission('tables_add')): ?>
     <button class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#addTableModal">
         <i class="bi bi-plus-lg"></i> Add Table
     </button>
+    <?php endif; ?>
 </div>
 
+<?= $message ?>
+
 <div class="card border-0 shadow-sm">
     <div class="card-body p-0">
         <!-- Pagination Controls -->
@@ -87,8 +101,13 @@ $baseUrl = $protocol . $host . ($dir === '/' ? '' : $dir) . '/qorder.php';
                                     title="View QR Code">
                                 <i class="bi bi-qr-code me-1"></i> QR
                             </button>
+                            <?php if (has_permission('tables_add')): ?>
                             <a href="table_edit.php?id=<?= $table['id'] ?>" class="btn btn-sm btn-outline-primary me-1" title="Edit"><i class="bi bi-pencil"></i></a>
+                            <?php endif; ?>
+                            
+                            <?php if (has_permission('tables_del')): ?>
                             <a href="?delete=<?= $table['id'] ?>" class="btn btn-sm btn-outline-danger" onclick="return confirm('Delete this table?')" title="Delete"><i class="bi bi-trash"></i></a>
+                            <?php endif; ?>
                         </td>
                     </tr>
                     <?php endforeach; ?>
@@ -108,6 +127,7 @@ $baseUrl = $protocol . $host . ($dir === '/' ? '' : $dir) . '/qorder.php';
 </div>
 
 <!-- Add Table Modal -->
+<?php if (has_permission('tables_add')): ?>
 <div class="modal fade" id="addTableModal" tabindex="-1">
     <div class="modal-dialog">
         <div class="modal-content">
@@ -144,6 +164,7 @@ $baseUrl = $protocol . $host . ($dir === '/' ? '' : $dir) . '/qorder.php';
         </div>
     </div>
 </div>
+<?php endif; ?>
 
 <!-- QR Code Modal -->
 <div class="modal fade" id="qrModal" tabindex="-1">