diff --git a/action.php b/action.php
index 1bc37c8..99712b3 100644
--- a/action.php
+++ b/action.php
@@ -20,6 +20,10 @@ function returnToSender($msg, $arg = "") {
     die();
 }
 
+if ($VARS['action'] != "signout" && !account_has_permission($_SESSION['username'], "TASKFLOOR")) {
+    returnToSender("no_permission");
+}
+
 switch ($VARS['action']) {
     case "signout":
         session_destroy();
diff --git a/api.php b/api.php
index e7c3c0b..0669a52 100644
--- a/api.php
+++ b/api.php
@@ -18,6 +18,12 @@ if (user_exists($username) !== true || authenticate_user($username, $password, $
     header("HTTP/1.1 403 Unauthorized");
     die("\"403 Unauthorized\"");
 }
+
+if (!account_has_permission($username, "TASKFLOOR")) {
+    header("HTTP/1.1 403 Unauthorized");
+    die("\"403 Unauthorized\"");
+}
+
 $userinfo = getUserByUsername($username);
 
 // query max results
diff --git a/index.php b/index.php
index b3383b0..898c432 100644
--- a/index.php
+++ b/index.php
@@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/login.php";
 
 // if we're logged in, we don't need to be here.
-if ($_SESSION['loggedin']) {
+if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "TASKFLOOR")) {
     header('Location: app.php');
 }
 
@@ -34,13 +34,17 @@ if (checkLoginServer()) {
                         break;
                 }
                 if ($userpass_ok) {
-                    $_SESSION['passok'] = true; // stop logins using only username and authcode
-                    if (userHasTOTP($VARS['username'])) {
-                        $multiauth = true;
+                    if (account_has_permission($VARS['username'], "TASKFLOOR") == FALSE) {
+                        $alert = lang("no permission", false);
                     } else {
-                        doLoginUser($VARS['username'], $VARS['password']);
-                        header('Location: app.php');
-                        die("Logged in, go to app.php");
+                        $_SESSION['passok'] = true; // stop logins using only username and authcode
+                        if (userHasTOTP($VARS['username'])) {
+                            $multiauth = true;
+                        } else {
+                            doLoginUser($VARS['username'], $VARS['password']);
+                            header('Location: app.php');
+                            die("Logged in, go to app.php");
+                        }
                     }
                 }
             } else {
diff --git a/lang/en_us.php b/lang/en_us.php
index 120dd65..472dd20 100644
--- a/lang/en_us.php
+++ b/lang/en_us.php
@@ -20,6 +20,7 @@ define("STRINGS", [
     "settings" => "Settings",
     "options" => "Options",
     "404 error" => "404 Error",
+    "no permission" => "You do not have permission to access this system.",
     "page not found" => "Page not found.",
     "invalid parameters" => "Invalid request parameters.",
     "login server error" => "The login server returned an error: {arg}",
diff --git a/lang/messages.php b/lang/messages.php
index d88bf93..4c7067d 100644
--- a/lang/messages.php
+++ b/lang/messages.php
@@ -13,6 +13,10 @@ define("MESSAGES", [
         "string" => "page not found",
         "type" => "info"
     ],
+    "no_permission" => [
+        "string" => "no permission",
+        "type" => "danger"
+    ],
     "task_saved" => [
         "string" => "task saved",
         "type" => "success"
diff --git a/lib/login.php b/lib/login.php
index 88c5313..aeeead2 100644
--- a/lib/login.php
+++ b/lib/login.php
@@ -157,6 +157,37 @@ function get_account_status($username) {
     }
 }
 
+/**
+ * Check if the given username has the given permission (or admin access)
+ * @param string $username
+ * @param string $permcode
+ * @return boolean TRUE if the user has the permission (or admin access), else FALSE
+ */
+function account_has_permission($username, $permcode) {
+    $client = new GuzzleHttp\Client();
+
+    $response = $client
+            ->request('POST', PORTAL_API, [
+        'form_params' => [
+            'key' => PORTAL_KEY,
+            'action' => "permission",
+            'username' => $username,
+            'code' => $permcode
+        ]
+    ]);
+
+    if ($response->getStatusCode() > 299) {
+        sendError("Login server error: " . $response->getBody());
+    }
+
+    $resp = json_decode($response->getBody(), TRUE);
+    if ($resp['status'] == "OK") {
+        return $resp['has_permission'];
+    } else {
+        return false;
+    }
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 //                              Login handling                                //
 ////////////////////////////////////////////////////////////////////////////////
diff --git a/required.php b/required.php
index ececcbd..4e29400 100644
--- a/required.php
+++ b/required.php
@@ -132,6 +132,10 @@ function dieifnotloggedin() {
     if ($_SESSION['loggedin'] != true) {
         sendError("Session expired.  Please log out and log in again.");
     }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "TASKFLOOR") == FALSE) {
+        die("You don't have permission to be here.");
+    }
 }
 
 /**
@@ -188,6 +192,11 @@ function redirectIfNotLoggedIn() {
         header('Location: ' . URL . '/index.php');
         die();
     }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "TASKFLOOR") == FALSE) {
+        header('Location: ./index.php');
+        die("You don't have permission to be here.");
+    }
 }
 
 /**