diff --git a/action.php b/action.php
index 7391bd0..e1a96b5 100644
--- a/action.php
+++ b/action.php
@@ -4,9 +4,14 @@
  * Make things happen when buttons are pressed and forms submitted.
  */
 require_once __DIR__ . "/required.php";
+require_once __DIR__ . "/lib/login.php";
 
 dieifnotloggedin();
 
+if (account_has_permission($_SESSION['username'], "QWIKCLOCK") == FALSE) {
+    die("You don't have permission to be here.");
+}
+
 /**
  * Redirects back to the page ID in $_POST/$_GET['source'] with the given message ID.
  * The message will be displayed by the app.
diff --git a/app.php b/app.php
index e3bae06..00aa34c 100644
--- a/app.php
+++ b/app.php
@@ -1,10 +1,7 @@
 <?php
 require_once __DIR__ . "/required.php";
 
-if ($_SESSION['loggedin'] != true) {
-    header('Location: index.php');
-    die("Session expired.  Log in again to continue.");
-}
+redirectIfNotLoggedIn();
 
 require_once __DIR__ . "/pages.php";
 
diff --git a/index.php b/index.php
index 262d7b3..1e6a411 100644
--- a/index.php
+++ b/index.php
@@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/login.php";
 
 // if we're logged in, we don't need to be here.
-if ($_SESSION['loggedin']) {
+if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "QWIKCLOCK")) {
     header('Location: app.php');
 }
 
@@ -34,13 +34,17 @@ if (checkLoginServer()) {
                         break;
                 }
                 if ($userpass_ok) {
-                    $_SESSION['passok'] = true; // stop logins using only username and authcode
-                    if (userHasTOTP($VARS['username'])) {
-                        $multiauth = true;
+                    if (account_has_permission($VARS['username'], "QWIKCLOCK") == FALSE) {
+                        $alert = lang("no admin permission", false);
                     } else {
-                        doLoginUser($VARS['username'], $VARS['password']);
-                        header('Location: app.php');
-                        die("Logged in, go to app.php");
+                        $_SESSION['passok'] = true; // stop logins using only username and authcode
+                        if (userHasTOTP($VARS['username'])) {
+                            $multiauth = true;
+                        } else {
+                            doLoginUser($VARS['username'], $VARS['password']);
+                            header('Location: app.php');
+                            die("Logged in, go to app.php");
+                        }
                     }
                 }
             } else {
diff --git a/lang/en_us.php b/lang/en_us.php
index fd77880..a28ab15 100644
--- a/lang/en_us.php
+++ b/lang/en_us.php
@@ -5,6 +5,7 @@ define("STRINGS", [
     "username" => "Username",
     "password" => "Password",
     "continue" => "Continue",
+    "no admin permission" => "You do not have permission to access this system.",
     "authcode" => "Authentication code",
     "2fa prompt" => "Enter the six-digit code from your mobile authenticator app.",
     "2fa incorrect" => "Authentication code incorrect.",
diff --git a/required.php b/required.php
index 0ea9e72..b25bcf8 100644
--- a/required.php
+++ b/required.php
@@ -186,6 +186,11 @@ if (!function_exists('base_url')) {
 function redirectIfNotLoggedIn() {
     if ($_SESSION['loggedin'] !== TRUE) {
         header('Location: ' . URL . '/index.php');
-        die();
+        die("You are not logged in.");
+    }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "QWIKCLOCK") == FALSE) {
+        header('Location: ./index.php');
+        die("You don't have permission to be here.");
     }
 }