diff --git a/add_project.php b/add_project.php
index 92746d6..7975510 100644
--- a/add_project.php
+++ b/add_project.php
@@ -1,15 +1,22 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_login();
+
+$user_id = current_user_id();
 
 $data = json_decode(file_get_contents('php://input'), true);
-if (!isset($data['name']) || empty(trim($data['name']))) {
+$name = trim($data['name'] ?? '');
+
+if ($name === '') {
     http_response_code(400);
-    echo json_encode(['error' => 'Project name is required']);
+    echo json_encode(['success' => false, 'error' => 'Project name is required']);
     exit;
 }
 
-$stmt = $pdo->prepare("INSERT INTO projects (name) VALUES (?)");
-$stmt->execute([trim($data['name'])]);
+$stmt = $pdo->prepare("INSERT INTO projects (user_id, name) VALUES (?, ?)");
+$stmt->execute([$user_id, $name]);
 
 echo json_encode(['success' => true, 'id' => $pdo->lastInsertId()]);
-?>
diff --git a/add_subtask.php b/add_subtask.php
index f320d92..8889f99 100644
--- a/add_subtask.php
+++ b/add_subtask.php
@@ -1,18 +1,32 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_login();
+
+$user_id = current_user_id();
 
 $data = json_decode(file_get_contents('php://input'), true);
 $name = trim($data['name'] ?? '');
 $task_id = intval($data['task_id'] ?? 0);
 
 if ($name === '' || $task_id <= 0) {
-	http_response_code(400);
-	echo json_encode(['error' => 'Invalid input']);
-	exit;
+    http_response_code(400);
+    echo json_encode(['success' => false, 'error' => 'Invalid input']);
+    exit;
 }
 
-$stmt = $pdo->prepare("INSERT INTO subtasks (task_id, name) VALUES (?, ?)");
-$stmt->execute([$task_id, $name]);
+// Ensure task belongs to this user
+$stmt = $pdo->prepare("SELECT id FROM tasks WHERE id = ? AND user_id = ? LIMIT 1");
+$stmt->execute([$task_id, $user_id]);
+if (!$stmt->fetchColumn()) {
+    http_response_code(403);
+    echo json_encode(['success' => false, 'error' => 'Forbidden']);
+    exit;
+}
+
+$stmt = $pdo->prepare("INSERT INTO subtasks (user_id, task_id, name) VALUES (?, ?, ?)");
+$stmt->execute([$user_id, $task_id, $name]);
 
 echo json_encode(['success' => true, 'id' => $pdo->lastInsertId()]);
-?>
diff --git a/add_task.php b/add_task.php
index 8119ffd..57c709c 100644
--- a/add_task.php
+++ b/add_task.php
@@ -1,5 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_login();
+
+$user_id = current_user_id();
 
 $data = json_decode(file_get_contents('php://input'), true);
 $name = trim($data['name'] ?? '');
@@ -7,12 +13,20 @@ $project_id = intval($data['project_id'] ?? 0);
 
 if ($name === '' || $project_id <= 0) {
     http_response_code(400);
-    echo json_encode(['error' => 'Invalid input']);
+    echo json_encode(['success' => false, 'error' => 'Invalid input']);
     exit;
 }
 
-$stmt = $pdo->prepare("INSERT INTO tasks (project_id, name) VALUES (?, ?)");
-$stmt->execute([$project_id, $name]);
+// Ensure project belongs to this user
+$stmt = $pdo->prepare("SELECT id FROM projects WHERE id = ? AND user_id = ? LIMIT 1");
+$stmt->execute([$project_id, $user_id]);
+if (!$stmt->fetchColumn()) {
+    http_response_code(403);
+    echo json_encode(['success' => false, 'error' => 'Forbidden']);
+    exit;
+}
+
+$stmt = $pdo->prepare("INSERT INTO tasks (user_id, project_id, name) VALUES (?, ?, ?)");
+$stmt->execute([$user_id, $project_id, $name]);
 
 echo json_encode(['success' => true, 'id' => $pdo->lastInsertId()]);
-?>
diff --git a/auth.php b/auth.php
new file mode 100644
index 0000000..88ff806
--- /dev/null
+++ b/auth.php
@@ -0,0 +1,36 @@
+<?php
+// auth.php
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
+function is_logged_in(): bool {
+    return isset($_SESSION['user']) && isset($_SESSION['user']['id']);
+}
+
+function current_user_id(): int {
+    return intval($_SESSION['user']['id'] ?? 0);
+}
+
+function current_user_can_manage_settings(): bool {
+    return !empty($_SESSION['user']['can_manage_settings']);
+}
+
+function require_login(): void {
+    if (!is_logged_in()) {
+        http_response_code(401);
+        header('Content-Type: application/json');
+        echo json_encode(['success' => false, 'error' => 'Not authenticated']);
+        exit;
+    }
+}
+
+function require_can_manage_settings(): void {
+    require_login();
+    if (!current_user_can_manage_settings()) {
+        http_response_code(403);
+        header('Content-Type: application/json');
+        echo json_encode(['success' => false, 'error' => 'Forbidden']);
+        exit;
+    }
+}
diff --git a/delete_project.php b/delete_project.php
index d900e92..ad37160 100644
--- a/delete_project.php
+++ b/delete_project.php
@@ -1,6 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+require_login();
+$user_id = current_user_id();
+
 $id = intval($_GET['id'] ?? 0);
 if ($id > 0) {
-	$pdo->prepare("DELETE FROM projects WHERE id = ?")->execute([$id]);
+    $pdo->prepare("DELETE FROM projects WHERE id = ? AND user_id = ?")->execute([$id, $user_id]);
 }
diff --git a/delete_subtask.php b/delete_subtask.php
index 32649c5..8282217 100644
--- a/delete_subtask.php
+++ b/delete_subtask.php
@@ -1,6 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+require_login();
+$user_id = current_user_id();
+
 $id = intval($_GET['id'] ?? 0);
 if ($id > 0) {
-	$pdo->prepare("DELETE FROM subtasks WHERE id = ?")->execute([$id]);
+    $pdo->prepare("DELETE FROM subtasks WHERE id = ? AND user_id = ?")->execute([$id, $user_id]);
 }
diff --git a/delete_task.php b/delete_task.php
index d7265e3..6beb327 100644
--- a/delete_task.php
+++ b/delete_task.php
@@ -1,6 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+require_login();
+$user_id = current_user_id();
+
 $id = intval($_GET['id'] ?? 0);
 if ($id > 0) {
-	$pdo->prepare("DELETE FROM tasks WHERE id = ?")->execute([$id]);
+    $pdo->prepare("DELETE FROM tasks WHERE id = ? AND user_id = ?")->execute([$id, $user_id]);
 }
diff --git a/get_data.php b/get_data.php
index 72446e9..4955210 100644
--- a/get_data.php
+++ b/get_data.php
@@ -1,19 +1,26 @@
 <?php
 require 'db.php';
+require 'auth.php';
 
-$projects = $pdo->query("SELECT * FROM projects ORDER BY sort_order ASC")->fetchAll();
+header('Content-Type: application/json');
+require_login();
+
+$user_id = current_user_id();
+
+$stmt = $pdo->prepare("SELECT * FROM projects WHERE user_id = ? ORDER BY sort_order ASC");
+$stmt->execute([$user_id]);
+$projects = $stmt->fetchAll();
 
 foreach ($projects as &$project) {
-    $stmt = $pdo->prepare("SELECT * FROM tasks WHERE project_id = ? ORDER BY created_at");
-    $stmt->execute([$project['id']]);
+    $stmt = $pdo->prepare("SELECT * FROM tasks WHERE project_id = ? AND user_id = ? ORDER BY created_at");
+    $stmt->execute([$project['id'], $user_id]);
     $project['tasks'] = $stmt->fetchAll();
 
     foreach ($project['tasks'] as &$task) {
-        $stmt = $pdo->prepare("SELECT * FROM subtasks WHERE task_id = ? ORDER BY created_at");
-        $stmt->execute([$task['id']]);
+        $stmt = $pdo->prepare("SELECT * FROM subtasks WHERE task_id = ? AND user_id = ? ORDER BY created_at");
+        $stmt->execute([$task['id'], $user_id]);
         $task['subtasks'] = $stmt->fetchAll();
     }
 }
 
-echo json_encode($projects);
-?>
+echo json_encode($projects);
\ No newline at end of file
diff --git a/index.php b/index.php
index b5db406..a58a70e 100644
--- a/index.php
+++ b/index.php
@@ -343,24 +343,78 @@
     </div>
   </div>
 
-<!-- Modal: Confirmation -->
-<div class="modal fade" id="confirmationModal" tabindex="-1" aria-hidden="true">
-  <div class="modal-dialog modal-dialog-centered">
-    <div class="modal-content">
-      <div class="modal-header">
-        <h5 class="modal-title">Confirm Action</h5>
-        <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
-      </div>
-      <div class="modal-body" id="confirmationModalBody">
-        Are you sure you want to continue?
-      </div>
-      <div class="modal-footer">
-        <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
-        <button type="button" class="btn btn-danger" id="confirmModalYes">Yes</button>
+  <!-- Modal: Confirmation -->
+  <div class="modal fade" id="confirmationModal" tabindex="-1" aria-hidden="true">
+    <div class="modal-dialog modal-dialog-centered">
+      <div class="modal-content">
+        <div class="modal-header">
+          <h5 class="modal-title">Confirm Action</h5>
+          <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
+        </div>
+        <div class="modal-body" id="confirmationModalBody">
+          Are you sure you want to continue?
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+          <button type="button" class="btn btn-danger" id="confirmModalYes">Yes</button>
+        </div>
       </div>
     </div>
   </div>
-</div>
+
+  <!-- Modal: Login -->
+  <div class="modal fade" id="loginModal" tabindex="-1" aria-hidden="true" data-bs-backdrop="static" data-bs-keyboard="false">
+    <div class="modal-dialog modal-dialog-centered">
+      <form id="loginForm" class="modal-content">
+        <div class="modal-header">
+          <h5 class="modal-title">Sign In</h5>
+        </div>
+        <div class="modal-body">
+          <div class="mb-3">
+            <label class="form-label">Email</label>
+            <input type="email" class="form-control" id="loginEmail" required>
+          </div>
+          <div class="mb-3">
+            <label class="form-label">Password</label>
+            <input type="password" class="form-control" id="loginPassword" required>
+          </div>
+          <div class="text-danger" id="loginError" style="display:none;"></div>
+        </div>
+        <div class="modal-footer d-flex justify-content-between w-100">
+          <button type="button" class="btn btn-outline-secondary" id="showRegisterBtn">Create account</button>
+          <button type="submit" class="btn btn-primary">Sign In</button>
+        </div>
+      </form>
+    </div>
+  </div>
+
+  <!-- Modal: Register -->
+  <div class="modal fade" id="registerModal" tabindex="-1" aria-hidden="true">
+    <div class="modal-dialog modal-dialog-centered">
+      <form id="registerForm" class="modal-content">
+        <div class="modal-header">
+          <h5 class="modal-title">Create Account</h5>
+          <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
+        </div>
+        <div class="modal-body">
+          <div class="mb-3">
+            <label class="form-label">Email</label>
+            <input type="email" class="form-control" id="registerEmail" required>
+          </div>
+          <div class="mb-3">
+            <label class="form-label">Password (8+ chars)</label>
+            <input type="password" class="form-control" id="registerPassword" required minlength="8">
+          </div>
+          <div class="text-danger" id="registerError" style="display:none;"></div>
+          <div class="text-success" id="registerSuccess" style="display:none;"></div>
+        </div>
+        <div class="modal-footer d-flex justify-content-between w-100">
+          <button type="button" class="btn btn-outline-secondary" id="backToLoginBtn">Back</button>
+          <button type="submit" class="btn btn-primary">Create</button>
+        </div>
+      </form>
+    </div>
+  </div>
 
 
   <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
@@ -435,15 +489,26 @@
       fetch('get_data.php')
         .then(res => res.json())
         .then(data => {
+
+          if (!Array.isArray(data)) {
+            if (data && data.error === 'Not authenticated') {
+              new bootstrap.Modal(document.getElementById('loginModal')).show();
+              return;
+            }
+            console.error('get_data.php returned non-array:', data);
+            return;
+          }
+
           const container = document.getElementById('projectGrid');
           container.innerHTML = '';
 
           data.forEach((project, idx) => {
 			  
-			const projectId = `project-${project.id}`;
-			const colorClass = `project-color-${idx % 10}`;
+          const projectId = `project-${project.id}`;
+          const colorClass = `project-color-${idx % 10}`;
 			  
-            const col = document.createElement('div');
+          const col = document.createElement('div');
+          
 			col.className = `col-12 col-sm-6 col-md-4 col-lg-2 col-xl-2 col-xxl-1 g-2 m-0 project-column`;
 			col.dataset.projectId = project.id;
 			col.classList.add("draggable-project");
@@ -660,22 +725,6 @@ document.querySelectorAll('.project-column').forEach(col => {
         });
       });
 
-		  let itemToDelete = null;
-
-		  document.querySelectorAll('.delete-task-btn').forEach(btn => {
-		    btn.addEventListener('click', () => {
-			  itemToDelete = btn.dataset.taskId;
-			  const modal = new bootstrap.Modal(document.getElementById('confirmDeleteModal'));
-			  modal.show();
-		    });
-		  });
-
-		  document.getElementById('confirmDeleteBtn').addEventListener('click', () => {
-		    if (itemToDelete) {
-			  fetch(`delete_task.php?id=${itemToDelete}`)
-			    .then(() => location.reload()); // or re-fetch your UI
-  		    }
-		  });
         });
     }
 
@@ -744,23 +793,6 @@ document.querySelectorAll('.project-column').forEach(col => {
 	  });
 	});
 
-	document.getElementById('settingsForm').addEventListener('submit', function (e) {
-	  e.preventDefault();
-
-	  const newTitle = document.getElementById('titleText').value.trim();
-	  const newIcon = document.getElementById('iconClass').value.trim();
-
-	  if (newTitle) {
-		document.getElementById('appTitle').childNodes[1].textContent = newTitle;
-	  }
-
-	  if (newIcon) {
-		const icon = document.getElementById('appIcon');
-		icon.className = `bi ${newIcon} me-2`;
-	  }
-
-	  bootstrap.Modal.getInstance(document.getElementById('settingsModal')).hide();
-	});	
 
 	document.getElementById('settingsForm').addEventListener('submit', function (e) {
 	  e.preventDefault();
@@ -782,6 +814,7 @@ document.querySelectorAll('.project-column').forEach(col => {
 		});
 	});
 	
+
 	document.getElementById('resetSettings').addEventListener('click', () => {
 	  fetch('reset_settings.php')
 		.then(() => {
@@ -789,11 +822,102 @@ document.querySelectorAll('.project-column').forEach(col => {
 		});
 	});
 	
-	window.addEventListener('DOMContentLoaded', () => {
-	  loadSettings();
-	});	
+
+  document.getElementById('showRegisterBtn').addEventListener('click', () => {
+    bootstrap.Modal.getInstance(document.getElementById('loginModal')).hide();
+    new bootstrap.Modal(document.getElementById('registerModal')).show();
+  });
+
+  document.getElementById('backToLoginBtn').addEventListener('click', () => {
+    bootstrap.Modal.getInstance(document.getElementById('registerModal')).hide();
+    new bootstrap.Modal(document.getElementById('loginModal')).show();
+  });
+
+  document.getElementById('loginForm').addEventListener('submit', (e) => {
+    e.preventDefault();
+    const email = document.getElementById('loginEmail').value.trim();
+    const password = document.getElementById('loginPassword').value;
+
+    const err = document.getElementById('loginError');
+    err.style.display = 'none';
+    err.textContent = '';
+
+    fetch('login.php', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email, password })
+    })
+    .then(async r => {
+      const data = await r.json();
+      if (!r.ok) throw new Error(data.error || 'Login failed');
+      return data;
+    })
+    .then(data => {
+      bootstrap.Modal.getInstance(document.getElementById('loginModal')).hide();
+
+      if (!data.user.can_manage_settings) {
+        document.querySelectorAll('.settings-btn').forEach(b => b.style.display = 'none');
+      }
+
+      fetchProjects();
+    })
+    .catch(ex => {
+      err.textContent = ex.message;
+      err.style.display = 'block';
+    });
+  });
+
+
+  document.getElementById('registerForm').addEventListener('submit', (e) => {
+    e.preventDefault();
+    const email = document.getElementById('registerEmail').value.trim();
+    const password = document.getElementById('registerPassword').value;
+
+    const err = document.getElementById('registerError');
+    const ok  = document.getElementById('registerSuccess');
+    err.style.display = 'none'; err.textContent = '';
+    ok.style.display = 'none';  ok.textContent = '';
+
+    fetch('register.php', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email, password })
+    })
+    .then(async r => {
+      const data = await r.json();
+      if (!r.ok) throw new Error(data.error || 'Registration failed');
+      return data;
+    })
+    .then(() => {
+      ok.textContent = 'Account created. You can sign in now.';
+      ok.style.display = 'block';
+    })
+    .catch(ex => {
+      err.textContent = ex.message;
+      err.style.display = 'block';
+    });
+  });
 	
-    document.addEventListener('DOMContentLoaded', fetchProjects);
+  document.addEventListener('DOMContentLoaded', () => {
+    loadSettings();
+
+    fetch('me.php')
+      .then(r => r.json())
+      .then(me => {
+        if (!me.logged_in) {
+          const modal = new bootstrap.Modal(document.getElementById('loginModal'));
+          modal.show();
+          return;
+        }
+
+        // Hide settings button if user can't manage settings
+        if (!me.user.can_manage_settings) {
+          document.querySelectorAll('.settings-btn').forEach(b => b.style.display = 'none');
+        }
+
+        fetchProjects();
+      });
+  });
 	
   </script>
   
diff --git a/login.php b/login.php
new file mode 100644
index 0000000..1f24908
--- /dev/null
+++ b/login.php
@@ -0,0 +1,44 @@
+<?php
+require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+
+$data = json_decode(file_get_contents('php://input'), true);
+$email = strtolower(trim($data['email'] ?? ''));
+$password = strval($data['password'] ?? '');
+
+$stmt = $pdo->prepare("
+    SELECT u.id, u.email, u.password_hash,
+           r.name AS role_name,
+           r.can_manage_settings
+    FROM users u
+    JOIN roles r ON r.id = u.role_id
+    WHERE u.email = ?
+    LIMIT 1
+");
+$stmt->execute([$email]);
+$user = $stmt->fetch(PDO::FETCH_ASSOC);
+
+if (!$user || !password_verify($password, $user['password_hash'])) {
+    http_response_code(401);
+    echo json_encode(['success' => false, 'error' => 'Invalid credentials']);
+    exit;
+}
+
+$_SESSION['user'] = [
+    'id' => intval($user['id']),
+    'email' => $user['email'],
+    'role' => $user['role_name'],
+    'can_manage_settings' => intval($user['can_manage_settings']),
+];
+
+echo json_encode([
+    'success' => true,
+    'user' => [
+        'id' => $_SESSION['user']['id'],
+        'email' => $_SESSION['user']['email'],
+        'role' => $_SESSION['user']['role'],
+        'can_manage_settings' => $_SESSION['user']['can_manage_settings'],
+    ]
+]);
diff --git a/logout.php b/logout.php
new file mode 100644
index 0000000..87b2e25
--- /dev/null
+++ b/logout.php
@@ -0,0 +1,8 @@
+<?php
+require 'auth.php';
+header('Content-Type: application/json');
+
+$_SESSION = [];
+session_destroy();
+
+echo json_encode(['success' => true]);
diff --git a/me.php b/me.php
new file mode 100644
index 0000000..057b324
--- /dev/null
+++ b/me.php
@@ -0,0 +1,18 @@
+<?php
+require 'auth.php';
+header('Content-Type: application/json');
+
+if (!is_logged_in()) {
+    echo json_encode(['logged_in' => false]);
+    exit;
+}
+
+echo json_encode([
+    'logged_in' => true,
+    'user' => [
+        'id' => intval($_SESSION['user']['id']),
+        'email' => $_SESSION['user']['email'],
+        'role' => $_SESSION['user']['role'],
+        'can_manage_settings' => intval($_SESSION['user']['can_manage_settings']),
+    ]
+]);
diff --git a/register.php b/register.php
new file mode 100644
index 0000000..49d6020
--- /dev/null
+++ b/register.php
@@ -0,0 +1,42 @@
+<?php
+require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+
+$data = json_decode(file_get_contents('php://input'), true);
+$email = strtolower(trim($data['email'] ?? ''));
+$password = strval($data['password'] ?? '');
+
+if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
+    http_response_code(400);
+    echo json_encode(['success' => false, 'error' => 'Invalid email']);
+    exit;
+}
+if (strlen($password) < 8) {
+    http_response_code(400);
+    echo json_encode(['success' => false, 'error' => 'Password must be at least 8 characters']);
+    exit;
+}
+
+$hash = password_hash($password, PASSWORD_DEFAULT);
+
+// Standard role id from roles table
+$stmt = $pdo->prepare("SELECT id FROM roles WHERE name = 'standard' LIMIT 1");
+$stmt->execute();
+$role_id = intval($stmt->fetchColumn());
+
+if ($role_id <= 0) {
+    http_response_code(500);
+    echo json_encode(['success' => false, 'error' => "Role 'standard' not found"]);
+    exit;
+}
+
+try {
+    $stmt = $pdo->prepare("INSERT INTO users (email, password_hash, role_id) VALUES (?, ?, ?)");
+    $stmt->execute([$email, $hash, $role_id]);
+    echo json_encode(['success' => true]);
+} catch (Throwable $e) {
+    http_response_code(409);
+    echo json_encode(['success' => false, 'error' => 'Account already exists']);
+}
diff --git a/reset_settings.php b/reset_settings.php
index f7ac3b2..815b099 100644
--- a/reset_settings.php
+++ b/reset_settings.php
@@ -1,6 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_can_manage_settings();
+
 $stmt = $pdo->prepare("UPDATE settings SET title = 'tinyTask', icon_class = 'kanban', icon_color = '#ff0000' WHERE id = 1");
 $stmt->execute();
+
 echo json_encode(['success' => true]);
-?>
diff --git a/update_project_order.php b/update_project_order.php
index ff32701..23c9f96 100644
--- a/update_project_order.php
+++ b/update_project_order.php
@@ -1,25 +1,27 @@
 <?php
 require 'db.php';
+require 'auth.php';
 
 header('Content-Type: application/json');
 
-$data = json_decode(file_get_contents('php://input'), true);
+require_login();
+$user_id = current_user_id();
 
+$data = json_decode(file_get_contents('php://input'), true);
 if (!$data || !is_array($data)) {
   echo json_encode(['success' => false, 'message' => 'Invalid input']);
   exit;
 }
 
-$stmt = $pdo->prepare("UPDATE projects SET sort_order = ? WHERE id = ?");
+$stmt = $pdo->prepare("UPDATE projects SET sort_order = ? WHERE id = ? AND user_id = ?");
 
 foreach ($data as $item) {
-  $id = $item['id'];
-  $order = $item['order'];
+  $id = $item['id'] ?? null;
+  $order = $item['order'] ?? null;
 
   if (!is_numeric($id) || !is_numeric($order)) continue;
 
-  $stmt->execute([$order, $id]);
+  $stmt->execute([(int)$order, (int)$id, $user_id]);
 }
 
 echo json_encode(['success' => true]);
-exit;
diff --git a/update_settings.php b/update_settings.php
index 3b0c1b1..d524977 100644
--- a/update_settings.php
+++ b/update_settings.php
@@ -1,13 +1,17 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_can_manage_settings();
+
 $data = json_decode(file_get_contents('php://input'), true);
 
 $title = $data['title'] ?? 'tinyTask';
-$icon = $data['icon_class'] ?? 'kanban';
+$icon  = $data['icon_class'] ?? 'kanban';
 $color = $data['icon_color'] ?? '#ff0000';
 
 $stmt = $pdo->prepare("UPDATE settings SET title = ?, icon_class = ?, icon_color = ? WHERE id = 1");
 $stmt->execute([$title, $icon, $color]);
 
 echo json_encode(['success' => true]);
-?>
diff --git a/update_task_order.php b/update_task_order.php
index fe599fc..14e1493 100644
--- a/update_task_order.php
+++ b/update_task_order.php
@@ -1,11 +1,25 @@
 <?php
-require 'db.php'; // Adjust path if needed
+require 'db.php';
+require 'auth.php';
 
-$data = json_decode(file_get_contents("php://input"), true);
+header('Content-Type: application/json');
 
-if (isset($data['task_ids']) && is_array($data['task_ids'])) {
-    $stmt = $pdo->prepare("UPDATE tasks SET task_order = ? WHERE id = ?");
-    foreach ($data['task_ids'] as $order => $id) {
-        $stmt->execute([$order, $id]);
-    }
-    echo json_encode
+require_login();
+$user_id = current_user_id();
+
+$data = json_decode(file_get_contents('php://input'), true);
+if (!$data || !is_array($data)) {
+    echo json_encode(['success' => false, 'message' => 'Invalid input']);
+    exit;
+}
+
+$stmt = $pdo->prepare("UPDATE tasks SET task_order = ? WHERE id = ? AND user_id = ?");
+
+foreach ($data as $item) {
+    $id = $item['id'] ?? null;
+    $order = $item['order'] ?? null;
+    if (!is_numeric($id) || !is_numeric($order)) continue;
+    $stmt->execute([(int)$order, (int)$id, $user_id]);
+}
+
+echo json_encode(['success' => true]);