diff --git a/debts.php b/debts.php
index 6f9e349..f28f5ed 100644
--- a/debts.php
+++ b/debts.php
@@ -1,6 +1,6 @@
 <?php
 require_once 'includes/app.php';
-$user = require_auth();
+$user = require_permission('debts', 'show');
 
 $activeNav = 'debts';
 $pageTitle = tr('الديون والفواتير الآجلة', 'Debts & Unpaid Bills');
diff --git a/edit_online_order.php b/edit_online_order.php
index 3ea5dc0..3c44bb3 100644
--- a/edit_online_order.php
+++ b/edit_online_order.php
@@ -1,6 +1,6 @@
 <?php
 require_once __DIR__ . '/includes/app.php';
-$user = require_permission('sales', 'show'); // Same permission as online_orders.php
+$user = require_permission('online_orders', 'edit');
 
 $editOrderId = (int)($_GET['id'] ?? 0);
 $editOrder = null;
diff --git a/eid_orders.php b/eid_orders.php
index 1fdd830..76fc09f 100644
--- a/eid_orders.php
+++ b/eid_orders.php
@@ -1,6 +1,6 @@
 <?php
 require_once __DIR__ . '/includes/app.php';
-$user = require_permission('sales', 'show');
+$user = require_permission('eid_orders', 'show');
 ensure_sales_table();
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action']) && $_POST['action'] === 'mark_as_paid') {
diff --git a/eid_print.php b/eid_print.php
index 29875b2..47dbda6 100644
--- a/eid_print.php
+++ b/eid_print.php
@@ -1,6 +1,6 @@
 <?php
 require_once __DIR__ . '/includes/app.php';
-$user = require_permission('sales', 'show');
+$user = require_permission('eid_orders', 'show');
 ensure_sales_table();
 
 $activeNav = 'eid_orders';
diff --git a/includes/app.php b/includes/app.php
index b2a3bb9..d42eb50 100644
--- a/includes/app.php
+++ b/includes/app.php
@@ -515,7 +515,7 @@ function require_auth(): array
     return $user;
 }
 
-function get_app_modules(): array { return ["pos" => ["name_ar" => "نقاط البيع", "name_en" => "POS", "actions" => ["show", "add"]], "normal_sale" => ["name_ar" => "فاتورة", "name_en" => "Invoice", "actions" => ["show", "add"]], "sales" => ["name_ar" => "المبيعات", "name_en" => "Sales", "actions" => ["show", "edit", "del"]], "purchases" => ["name_ar" => "المشتريات", "name_en" => "Purchases", "actions" => ["show", "add", "edit", "del"]], "stock" => ["name_ar" => "المخزون", "name_en" => "Stock", "actions" => ["show", "add", "edit", "del"]], "reports" => ["name_ar" => "التقارير", "name_en" => "Reports", "actions" => ["show"]], "customers" => ["name_ar" => "العملاء", "name_en" => "Customers", "actions" => ["show", "add", "edit", "del"]], "suppliers" => ["name_ar" => "الموردين", "name_en" => "Suppliers", "actions" => ["show", "add", "edit", "del"]], "categories" => ["name_ar" => "التصنيفات", "name_en" => "Categories", "actions" => ["show", "add", "edit", "del"]], "units" => ["name_ar" => "الوحدات", "name_en" => "Units", "actions" => ["show", "add", "edit", "del"]], "users" => ["name_ar" => "المستخدمين", "name_en" => "Users", "actions" => ["show", "add", "edit", "del"]], "settings" => ["name_ar" => "الإعدادات", "name_en" => "Settings", "actions" => ["show", "edit"]], "expense_categories" => ["name_ar" => "تصنيفات المصروفات", "name_en" => "Expense Categories", "actions" => ["show", "add", "edit", "del"]], "expenses" => ["name_ar" => "المصروفات", "name_en" => "Expenses", "actions" => ["show", "add", "edit", "del"]]]; } function has_permission(string $m, string $a = "show"): bool { $u = current_user(); if (!$u) return false; if ($u["role"] === "owner") return true; $p = !empty($u["permissions"]) ? (is_array($u["permissions"]) ? $u["permissions"] : json_decode($u["permissions"], true)) : []; return !empty($p[$m][$a]); } function require_permission(string $m, string $a = "show"): array { $u = require_auth(); if (!has_permission($m, $a)) { set_flash("warning", tr("ليس لديك صلاحية.", "You do not have permission.")); redirect_to("index.php"); } return $u; }
+function get_app_modules(): array { return ["pos" => ["name_ar" => "نقاط البيع", "name_en" => "POS", "actions" => ["show", "add"]], "normal_sale" => ["name_ar" => "فاتورة", "name_en" => "Invoice", "actions" => ["show", "add"]], "eid_orders" => ["name_ar" => "طلبات العيد", "name_en" => "Eid Orders", "actions" => ["show", "add", "edit"]], "online_orders" => ["name_ar" => "طلبات المتجر", "name_en" => "Online Orders", "actions" => ["show", "edit"]], "sales" => ["name_ar" => "المبيعات", "name_en" => "Sales", "actions" => ["show", "edit", "del"]], "debts" => ["name_ar" => "الديون", "name_en" => "Debts", "actions" => ["show", "edit"]], "purchases" => ["name_ar" => "المشتريات", "name_en" => "Purchases", "actions" => ["show", "add", "edit", "del"]], "stock" => ["name_ar" => "المخزون", "name_en" => "Stock", "actions" => ["show", "add", "edit", "del"]], "reports" => ["name_ar" => "التقارير", "name_en" => "Reports", "actions" => ["show"]], "customers" => ["name_ar" => "العملاء", "name_en" => "Customers", "actions" => ["show", "add", "edit", "del"]], "suppliers" => ["name_ar" => "الموردين", "name_en" => "Suppliers", "actions" => ["show", "add", "edit", "del"]], "categories" => ["name_ar" => "التصنيفات", "name_en" => "Categories", "actions" => ["show", "add", "edit", "del"]], "units" => ["name_ar" => "الوحدات", "name_en" => "Units", "actions" => ["show", "add", "edit", "del"]], "users" => ["name_ar" => "المستخدمين", "name_en" => "Users", "actions" => ["show", "add", "edit", "del"]], "settings" => ["name_ar" => "الإعدادات", "name_en" => "Settings", "actions" => ["show", "edit"]], "expense_categories" => ["name_ar" => "تصنيفات المصروفات", "name_en" => "Expense Categories", "actions" => ["show", "add", "edit", "del"]], "expenses" => ["name_ar" => "المصروفات", "name_en" => "Expenses", "actions" => ["show", "add", "edit", "del"]]]; } function has_permission(string $m, string $a = "show"): bool { $u = current_user(); if (!$u) return false; if ($u["role"] === "owner") return true; $p = !empty($u["permissions"]) ? (is_array($u["permissions"]) ? $u["permissions"] : json_decode($u["permissions"], true)) : []; return !empty($p[$m][$a]); } function require_permission(string $m, string $a = "show"): array { $u = require_auth(); if (!has_permission($m, $a)) { set_flash("warning", tr("ليس لديك صلاحية.", "You do not have permission.")); redirect_to("index.php"); } return $u; }
 function require_roles(array $roles): array
 {
     $user = require_auth();
diff --git a/includes/purchase_form.php b/includes/purchase_form.php
index 0597092..4d19d1b 100644
--- a/includes/purchase_form.php
+++ b/includes/purchase_form.php
@@ -1,6 +1,6 @@
 <?php
 require_once __DIR__ . '/app.php';
-$user = require_roles(['owner', 'manager', 'cashier']);
+$user = require_permission('purchases', 'add');
 $pageTitle = tr('فاتورة مشتريات جديدة', 'New Purchase');
 $activeNav = 'new_purchase';
 $error = '';
diff --git a/online_orders.php b/online_orders.php
index b2296ae..fa147e5 100644
--- a/online_orders.php
+++ b/online_orders.php
@@ -1,6 +1,6 @@
 <?php
 require_once __DIR__ . '/includes/app.php';
-$user = require_permission('sales', 'show'); // or create a specific permission
+$user = require_permission('online_orders', 'show');
 $pageTitle = tr('طلبات المتجر', 'Online Orders');
 $activeNav = 'online_orders';