diff --git a/app/controllers/customers_controller.rb b/app/controllers/customers_controller.rb
index 409b8b2..e71a5b5 100644
--- a/app/controllers/customers_controller.rb
+++ b/app/controllers/customers_controller.rb
@@ -27,7 +27,8 @@ class CustomersController < ApplicationController
   include SortHelper
   helper :timelog
   
-  before_filter :require_user, :except => :view
+  before_filter :add_customer, :only => :new
+  before_filter :view_customer, :except => :new
   skip_before_filter :verify_authenticity_token, :check_if_login_required, :only => [:view]
   
   default_search_scope :names
@@ -144,6 +145,14 @@ class CustomersController < ApplicationController
   
   private
   
+  def add_customer
+    global_check_permission(:add_customers)
+  end
+  
+  def view_customer
+    global_check_permission(:view_customers)
+  end
+  
   def only_one_non_zero?( array )
     found_non_zero = false
     array.each do |val|
diff --git a/app/controllers/payments_controller.rb b/app/controllers/payments_controller.rb
index 347b416..fb630be 100644
--- a/app/controllers/payments_controller.rb
+++ b/app/controllers/payments_controller.rb
@@ -12,8 +12,8 @@ class PaymentsController < ApplicationController
   
   include AuthHelper
   
-  before_filter :require_user
-
+  before_filter :check_permissions
+  
   def new
     @payment = Payment.new
     
@@ -32,10 +32,16 @@ class PaymentsController < ApplicationController
     else
       flash[:error] = @payment.errors.full_messages.to_sentence 
       redirect_to new_customer_path
-end
+    end
   end
   
   private
+
+  def check_permissions
+    if !allowed_to?(:add_payments)
+      render :file => "public/401.html.erb", :status => :unauthorized, :layout =>true 
+    end
+  end
   
   def only_one_non_zero?( array )
     found_non_zero = false
diff --git a/app/controllers/vehicles_controller.rb b/app/controllers/vehicles_controller.rb
index cd7ad16..105159b 100644
--- a/app/controllers/vehicles_controller.rb
+++ b/app/controllers/vehicles_controller.rb
@@ -57,6 +57,7 @@ class VehiclesController < ApplicationController
   def show
     begin
       @vehicle = Vehicle.find_by_id(params[:id])
+      @vin = @vehicle.vin.scan(/.{1,9}/) if @vehicle.vin
     rescue ActiveRecord::RecordNotFound
       render_404
     end
@@ -101,15 +102,6 @@ class VehiclesController < ApplicationController
     end
   end
   
-  # returns a dynamic list of vehicles owned by a customer
-  def update_vehicles
-    @vehicles = Customer.find_by(customer_id: params[:customer_id].to_i).vehicles
-    respond_to do |format|
-      format.html { render(:text => "not implemented") }
-      format.js
-    end
-  end
-  
   private
   
   def only_one_non_zero?( array )
diff --git a/app/helpers/auth_helper.rb b/app/helpers/auth_helper.rb
index 4605dcf..eaafc55 100644
--- a/app/helpers/auth_helper.rb
+++ b/app/helpers/auth_helper.rb
@@ -16,4 +16,38 @@ module AuthHelper
       render :file => "public/401.html.erb", :status => :unauthorized, :layout =>true
     end
   end
+  
+  def allowed_to?(action)
+    return false if User.current.nil?
+    project = Project.find(params[:project_id])
+    return false if project.nil?
+    return true if User.current.allowed_to?(action, project)
+    false
+  end
+  
+  def check_permission(permission)
+    if !allowed_to?(permission)
+      render :file => "public/401.html.erb", :status => :unauthorized, :layout =>true 
+    end
+  end
+  
+  
+  def global_check_permission(permission)
+    if !globaly_allowed_to?(permission)
+      render :file => "public/401.html.erb", :status => :unauthorized, :layout =>true 
+    end
+  end
+  
+  def globaly_allowed_to?( action)
+    return false if User.current.nil?
+
+    projects = Project.all
+    projects.each { |p|
+      if User.current.allowed_to?(action, p)
+        return true
+      end
+    }
+    false
+  end
+    
 end
diff --git a/app/views/vehicles/_details.html.erb b/app/views/vehicles/_details.html.erb
index 88b407b..058eb0b 100644
--- a/app/views/vehicles/_details.html.erb
+++ b/app/views/vehicles/_details.html.erb
@@ -13,7 +13,7 @@
     
     <tr>
       <th>VIN</th>
-      <td><%= vehicle.vin %></td>
+      <td><%= @vin[0] if @vin %><b><%=@vin[1] if @vin%></b></td>
     </tr>
     
     <tr>
diff --git a/app/views/vehicles/_form.html.erb b/app/views/vehicles/_form.html.erb
index e156ed1..5da0ff3 100644
--- a/app/views/vehicles/_form.html.erb
+++ b/app/views/vehicles/_form.html.erb
@@ -41,14 +41,7 @@
         <div class="clearfix">
           Notes: 
           <div class="input">
-            <p>
-              <%= content_tag 'span', :id => "issue_description_and_toolbar", :style => (@vehicle.new_record? ? nil : 'display:none') do %>
-                <%= f.text_area :notes,
-                    :cols => 60,
-                    :rows => 10,
-                    :no_label => true %>
-              <% end %>
-            </p>
+            <%= f.text_area :notes, :cols => 60, :rows => 10, :no_label => true %>
           </div>
         </div>
         
diff --git a/init.rb b/init.rb
index 7026712..7b6a860 100644
--- a/init.rb
+++ b/init.rb
@@ -28,7 +28,7 @@ Redmine::Plugin.register :redmine_qbo do
     name 'Redmine Quickbooks Online plugin'
     author 'Rick Barrette'
     description 'This is a plugin for Redmine to intergrate with Quickbooks Online to allow for seamless intergration CRM and invoicing of completed issues'
-    version '0.4.1'
+    version '0.4.3'
     url 'https://github.com/rickbarrette/redmine_qbo'
     author_url 'http://rickbarrette.org'
     settings :default => {'empty' => true}, :partial => 'qbo/settings'
@@ -47,18 +47,21 @@ Redmine::Plugin.register :redmine_qbo do
 
     # set per_page globally
     WillPaginate.per_page = 10
-
+  
+    permission :view_customers, :customers => :index, :public => false
+    permission :add_customers, :customers => :new, :public => false
+    permission :view_payments, :payments => :index, :public => false
+    permission :add_payments, :payments => :new, :public => false
+    permission :view_vehicles, :payments => :new, :public => false
+  
     # Register QBO top menu item
     #menu :top_menu, :qbo, { :controller => :qbo, :action => :index }, :caption => 'Quickbooks', :if => Proc.new { User.current.admin? }
-    menu :top_menu, :customers, { :controller => :customers, :action => :index }, :caption => 'Customers', :if => Proc.new { User.current.logged? }
-    menu :top_menu, :vehicles, { :controller => :vehicles, :action => :index }, :caption => 'Vehicles', :if => Proc.new { User.current.logged? }
+    menu :top_menu, :customers, { :controller => :customers, :action => :index }, :caption => 'Customers', :if => Proc.new {User.current.logged?}
+    menu :top_menu, :vehicles, { :controller => :vehicles, :action => :index }, :caption => 'Vehicles', :if => Proc.new { User.current.allowed_to?(:view_vehicles, @project) }
     
-    menu :application_menu, :new_customer, { :controller => :customers, :action => :new }, :caption => 'New Customer', :if => Proc.new { User.current.logged? }
-    menu :application_menu, :new_payment, { :controller => :payments, :action => :new }, :caption => 'New Payment', :if => Proc.new { User.current.logged? }
+    menu :application_menu, :new_customer, { :controller => :customers, :action => :new }, :caption => 'New Customer', :if => Proc.new { User.current.allowed_to?(:add_customers, @project) }
+    menu :application_menu, :new_payment, { :controller => :payments, :action => :new }, :caption => 'New Payment', :if => Proc.new { User.current.allowed_to?(:add_payments, @project)}
     
-    permission :customers, { :customers => [:index, :new] }, :public => false
     menu :project_menu, :customers, { :controller => 'customers', :action => 'new' }, :caption => 'New Customer', :after => :new_issue, :param => :project_id
-    
-    permission :payments, { :payments => [:index, :new] }, :public => false
     menu :project_menu, :payments, { :controller => 'payments', :action => 'new' }, :caption => 'New Payment', :after => :customers, :param => :project_id
 end