feat: Add payment provider plugin system for external gateway integrations

This commit introduces a comprehensive payment provider architecture to enable seamless integration with external payment gateways like SumUp and PayPal/Zettle. Architecture: - PaymentProviderInterface: Contract for all payment providers - PaymentProviderBase: Abstract base class with common functionality - PaymentProviderRegistry: Singleton registry for provider management - PaymentTransaction model: Transaction tracking and status management Infrastructure: - Webhook controller: Endpoint for external payment callbacks - Payment events: payment_initiated, payment_completed, sale_completed - payment_helper.php: Helper functions for payment provider content - Migration for ospos_payment_transactions table Core changes: - Add Events::trigger('payment_options') in locale_helper.php - Add Events::trigger('sale_completed') in Sales controller - Add Events::trigger('payment_initiated') in postAddPayment() - Add webhook routes for /payments/webhook/{provider} Provider stubs: - SumUpProvider: Card reader terminal integration - PayPalProvider: Card reader and QR code payment integration Related issues: #4346, #4322, #3232, #3789, #3790, #2275
fix: remove duplicate phpunit.xml that prevented tests from running
2026-05-25 08:44:42 -04:00 · 2026-04-01 21:29:45 +00:00 · 2026-04-01 16:46:03 +00:00 · 2026-04-01 16:46:03 +00:00 · 2026-04-01 16:46:03 +00:00 · 2026-04-01 16:46:03 +00:00
385 changed files with 12532 additions and 3170 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,23 +1,56 @@
-node_modules
-tmp
+# Version control
+.git
+.gitignore
+
+# Sensitive config (user may mount their own)
 app/Config/Email.php
+
+# Build artifacts
+node_modules/
+dist/
+tmp/
 *.patch
 patches/
+
+# IDE and editor files
 .idea/
-git-svn-diff.py
-*.bash
+.vscode/
 .swp
+*.swp
 .buildpath
 .project
-.settings/*
-.git
-dist/
-node_modules/
-*.swp
+.settings/
+
+# Development tools and configs
+tests/
+phpunit.xml
+.php-cs-fixer.*
+phpstan.neon
+*.bash
+git-svn-diff.py
+
+# Documentation
+*.md
+!LICENSE
+branding/
+
+# Build configs (not needed at runtime)
+composer.json
+composer.lock
+package.json
+package-lock.json
+gulpfile.js
+.env.example
+.dockerignore
+
+# Temporary and backup files
 *.rej
 *.orig
 *~
 *.~
 *.log
-app/writable/session/*
-!app/writable/session/index.html
+
+# CI
+.github/
+.github/workflows/
+build/
--- a/.env.example
+++ b/.env.example
@@ -4,6 +4,35 @@

 CI_ENVIRONMENT = production

+#--------------------------------------------------------------------
+# SECURITY: ALLOWED HOSTNAMES
+#--------------------------------------------------------------------
+# IMPORTANT: Whitelist of allowed hostnames to prevent Host Header 
+# Injection attacks (GHSA-jchf-7hr6-h4f3).
+#
+# If not configured, the application will default to 'localhost',
+# which may break functionality in production.
+#
+# Configure this with all domains/subdomains that host your application:
+# - Primary domain
+# - WWW subdomain (if used)  
+# - Any alternative domains
+#
+# Examples:
+#   Single domain:
+#     app.allowedHostnames.0 = 'example.com'
+#
+#   Multiple domains:
+#     app.allowedHostnames.0 = 'example.com'
+#     app.allowedHostnames.1 = 'www.example.com'
+#     app.allowedHostnames.2 = 'demo.opensourcepos.org'
+#
+# For localhost development:
+#     app.allowedHostnames.0 = 'localhost'
+#
+# Note: Do not include the protocol (http/https) or port number.
+#app.allowedHostnames.0 = ''
+
 #--------------------------------------------------------------------
 # DATABASE
 #--------------------------------------------------------------------
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -0,0 +1,61 @@
+# GitHub Actions
+
+This document describes the CI/CD workflows for OSPOS.
+
+## Build and Release Workflow (`.github/workflows/build-release.yml`)
+
+### Build Process
+- Setup PHP 8.2 with required extensions
+- Setup Node.js 20
+- Install composer dependencies
+- Install npm dependencies
+- Build frontend assets with Gulp
+
+### Docker Images
+- Build and push `opensourcepos` Docker image for multiple architectures (linux/amd64, linux/arm64)
+- On master: tagged with version and `latest`
+- On other branches: tagged with version only
+- Pushed to Docker Hub
+
+### Releases
+- Create distribution archives (tar.gz, zip)
+- Create/update GitHub "unstable" release on master branch only
+
+## Required Secrets
+
+To use this workflow, you need to add the following secrets to your repository:
+
+1. **DOCKER_USERNAME** - Docker Hub username for pushing images
+2. **DOCKER_PASSWORD** - Docker Hub password/token for pushing images
+
+### How to add secrets
+
+1. Go to your repository on GitHub
+2. Click **Settings** → **Secrets and variables** → **Actions**
+3. Click **New repository secret**
+4. Add `DOCKER_USERNAME` and `DOCKER_PASSWORD`
+
+The `GITHUB_TOKEN` is automatically provided by GitHub Actions.
+
+## Workflow Triggers
+
+- **Push to master** - Runs build, Docker push (with `latest` tag), and release
+- **Push to other branches** - Runs build and Docker push (version tag only)
+- **Push tags** - Runs build and Docker push (version tag only)
+- **Pull requests** - Runs build only (PHPUnit tests run in parallel via phpunit.yml)
+
+## Existing Workflows
+
+This repository also has these workflows:
+- `.github/workflows/main.yml` - PHP linting with PHP-CS-Fixer
+- `.github/workflows/phpunit.yml` - PHPUnit tests (runs on all PHP versions 8.1-8.4)
+- `.github/workflows/php-linter.yml` - PHP linting
+
+## Testing
+
+PHPUnit tests are run separately via `.github/workflows/phpunit.yml` on every push and pull request, testing against PHP 8.1, 8.2, 8.3, and 8.4.
+
+To test the build workflow:
+1. Add the required secrets
+2. Push to master or create a PR
+3. Monitor the Actions tab in GitHub
--- a/.github/workflows/build-release.yml
+++ b/.github/workflows/build-release.yml
@@ -0,0 +1,218 @@
+name: Build and Release
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - '*'
+  pull_request:
+    branches:
+      - master
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      version-tag: ${{ steps.version.outputs.version-tag }}
+      short-sha: ${{ steps.version.outputs.short-sha }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+          extensions: intl, mbstring, mysqli, gd, bcmath, zip
+          coverage: none
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Get composer cache directory
+        run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_ENV
+
+      - name: Cache composer dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.COMPOSER_CACHE_FILES_DIR }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-composer-
+
+      - name: Get npm cache directory
+        run: echo "NPM_CACHE_DIR=$(npm config get cache)" >> $GITHUB_ENV
+
+      - name: Cache npm dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.NPM_CACHE_DIR }}
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install composer dependencies
+        run: composer install --no-dev --optimize-autoloader
+
+      - name: Install npm dependencies
+        run: npm ci
+
+      - name: Install gulp globally
+        run: npm install -g gulp-cli
+
+      - name: Get version info
+        id: version
+        run: |
+          VERSION=$(grep "application_version" app/Config/App.php | sed "s/.*= '\(.*\)';/\1/g")
+          BRANCH=$(echo "${GITHUB_REF#refs/heads/}" | sed 's/feature\///')
+          TAG=$(echo "${GITHUB_TAG:-$BRANCH}" | tr '/' '-')
+          SHORT_SHA=$(git rev-parse --short=6 HEAD)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "version-tag=$VERSION-$BRANCH-$SHORT_SHA" >> $GITHUB_OUTPUT
+          echo "short-sha=$SHORT_SHA" >> $GITHUB_OUTPUT
+          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TAG: ${{ github.ref_name }}
+
+      - name: Create .env file
+        run: |
+          cp .env.example .env
+          sed -i 's/production/development/g' .env
+
+      - name: Update commit hash
+        run: |
+          SHORT_SHA="${{ steps.version.outputs.short-sha }}"
+          sed -i "s/commit_sha1 = 'dev'/commit_sha1 = '$SHORT_SHA'/g" app/Config/OSPOS.php
+
+      - name: Build frontend assets
+        run: npm run build
+
+      - name: Create distribution archives
+        run: |
+          set -euo pipefail
+          gulp compress
+          VERSION="${{ steps.version.outputs.version }}"
+          SHORT_SHA="${{ steps.version.outputs.short-sha }}"
+          mv dist/opensourcepos.tar "dist/opensourcepos.$VERSION.$SHORT_SHA.tar"
+          mv dist/opensourcepos.zip "dist/opensourcepos.$VERSION.$SHORT_SHA.zip"
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-${{ steps.version.outputs.short-sha }}
+          path: dist/
+          retention-days: 7
+
+      - name: Upload build context for Docker
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-context-${{ steps.version.outputs.short-sha }}
+          path: |
+            .
+            !.git
+            !node_modules
+          retention-days: 1
+
+  docker:
+    name: Build Docker Image
+    runs-on: ubuntu-22.04
+    needs: build
+    if: github.event_name == 'push'
+
+    steps:
+      - name: Download build context
+        uses: actions/download-artifact@v4
+        with:
+          name: build-context-${{ needs.build.outputs.short-sha }}
+          path: .
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Determine Docker tags
+        id: tags
+        run: |
+          BRANCH=$(echo "${GITHUB_REF#refs/heads/}" | tr '/' '-')
+          if [ "$BRANCH" = "master" ]; then
+            echo "tags=${{ secrets.DOCKER_USERNAME }}/opensourcepos:${{ needs.build.outputs.version-tag }},${{ secrets.DOCKER_USERNAME }}/opensourcepos:latest" >> $GITHUB_OUTPUT
+          else
+            echo "tags=${{ secrets.DOCKER_USERNAME }}/opensourcepos:${{ needs.build.outputs.version-tag }}" >> $GITHUB_OUTPUT
+          fi
+        env:
+          GITHUB_REF: ${{ github.ref }}
+
+      - name: Build and push Docker images
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          target: ospos
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.tags.outputs.tags }}
+
+  release:
+    name: Create Release
+    needs: build
+    runs-on: ubuntu-22.04
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist-${{ needs.build.outputs.short-sha }}
+          path: dist/
+
+      - name: Get version info
+        id: version
+        run: |
+          VERSION="${{ needs.build.outputs.version }}"
+          SHORT_SHA=$(git rev-parse --short=6 HEAD)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "short-sha=$SHORT_SHA" >> $GITHUB_OUTPUT
+
+      - name: Create/Update unstable release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: unstable
+          name: Unstable OpenSourcePOS
+          body: |
+            This is a build of the latest master which might contain bugs. Use at your own risk.
+            
+            Check the releases section for the latest official release.
+          files: |
+            dist/opensourcepos.${{ steps.version.outputs.version }}.${{ steps.version.outputs.short-sha }}.zip
+          prerelease: true
+          draft: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,71 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ master ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ master ]
-  schedule:
-    - cron: '21 12 * * 3'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'javascript' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/opencode.yml
+++ b/.github/workflows/opencode.yml
@@ -0,0 +1,33 @@
+name: opencode
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+
+jobs:
+  opencode:
+    if: |
+      contains(github.event.comment.body, ' /oc') ||
+      startsWith(github.event.comment.body, '/oc') ||
+      contains(github.event.comment.body, ' /opencode') ||
+      startsWith(github.event.comment.body, '/opencode')
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: read
+      issues: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - name: Run opencode
+        uses: anomalyco/opencode/github@latest
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+        with:
+          model: anthropic/claude-3-haiku-20240307
--- a/.github/workflows/phpunit.yml
+++ b/.github/workflows/phpunit.yml
@@ -0,0 +1,122 @@
+name: PHPUnit Tests
+
+on:
+  push:
+    paths:
+      - '**.php'
+      - 'spark'
+      - 'tests/**'
+      - '.github/workflows/phpunit.yml'
+      - 'gulpfile.js'
+      - 'app/Database/**'
+  pull_request:
+    paths:
+      - '**.php'
+      - 'spark'
+      - 'tests/**'
+      - '.github/workflows/phpunit.yml'
+      - 'gulpfile.js'
+      - 'app/Database/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: PHP ${{ matrix.php-version }} Tests
+    runs-on: ubuntu-22.04
+
+    strategy:
+      fail-fast: false
+      matrix:
+        php-version:
+          - '8.1'
+          - '8.2'
+          - '8.3'
+          - '8.4'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-version }}
+          extensions: intl, mbstring, mysqli
+          coverage: none
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Get npm cache directory
+        run: echo "NPM_CACHE_DIR=$(npm config get cache)" >> $GITHUB_ENV
+
+      - name: Cache npm dependencies
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.NPM_CACHE_DIR }}
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install npm dependencies
+        run: npm install
+
+      - name: Start MariaDB
+        run: |
+          docker run -d --name mysql \
+            -e MYSQL_ROOT_PASSWORD=root \
+            -e MYSQL_DATABASE=ospos \
+            -e MYSQL_USER=admin \
+            -e MYSQL_PASSWORD=pointofsale \
+            -p 3306:3306 \
+            mariadb:10.5
+          # Wait for MariaDB to be ready
+          until docker exec mysql mysqladmin ping -h 127.0.0.1 -u root -proot --silent; do
+            echo "Waiting for MariaDB..."
+            sleep 2
+          done
+          echo "MariaDB is ready!"
+
+      - name: Get composer cache directory
+        run: echo "COMPOSER_CACHE_FILES_DIR=$(composer config cache-files-dir)" >> $GITHUB_ENV
+
+      - name: Cache dependencies
+        uses: actions/cache@v3
+        with:
+          path: ${{ env.COMPOSER_CACHE_FILES_DIR }}
+          key: ${{ runner.os }}-${{ matrix.php-version }}-${{ hashFiles('**/composer.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ matrix.php-version }}-
+            ${{ runner.os }}-
+
+      - name: Install dependencies
+        run: composer update --ansi --no-interaction
+
+      - name: Create .env file
+        run: cp .env.example .env
+
+      - name: Run PHPUnit tests
+        env:
+          CI_ENVIRONMENT: testing
+          MYSQL_HOST_NAME: 127.0.0.1
+        run: composer test -- --log-junit test-results/junit.xml
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: test-results-php-${{ matrix.php-version }}
+          path: test-results/
+          retention-days: 30
+
+      - name: Stop MariaDB
+        if: always()
+        run: docker stop mysql && docker rm mysql
--- a/.github/workflows/update-issue-templates.yml
+++ b/.github/workflows/update-issue-templates.yml
@@ -0,0 +1,72 @@
+name: Update Issue Templates
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 0'
+
+jobs:
+  update-templates:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        
+      - name: Fetch releases and update templates
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Fetch releases from GitHub API
+          RELEASES=$(gh api repos/${{ github.repository }}/releases --jq '.[].tag_name' | head -n 10)
+          
+          # Create temporary file with options
+          OPTIONS_FILE=$(mktemp)
+          echo "        - development (unreleased)" >> "$OPTIONS_FILE"
+          while IFS= read -r release; do
+            echo "        - opensourcepos $release" >> "$OPTIONS_FILE"
+          done <<< "$RELEASES"
+          
+          update_template() {
+            local template="$1"
+            local template_path=".github/ISSUE_TEMPLATE/$template"
+            
+            # Find the line numbers for the OpensourcePOS Version dropdown
+            start_line=$(grep -n "label: OpensourcePOS Version" "$template_path" | cut -d: -f1)
+            
+            if [ -z "$start_line" ]; then
+              echo "Could not find OpensourcePOS Version in $template"
+              return 1
+            fi
+            
+            # Find the options section and default line
+            options_start=$((start_line + 3))
+            default_line=$(grep -n "default:" "$template_path" | awk -F: -v opts="$options_start" '$1 > opts {print $1; exit}')
+            
+            # Create new template file
+            head -n $((options_start - 1)) "$template_path" > "${template_path}.new"
+            cat "$OPTIONS_FILE" >> "${template_path}.new"
+            tail -n +$default_line "$template_path" >> "${template_path}.new"
+            mv "${template_path}.new" "$template_path"
+            
+            echo "Updated $template"
+          }
+          
+          update_template "bug report.yml"
+          update_template "feature_request.yml"
+          
+      - name: Commit and push changes
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .github/ISSUE_TEMPLATE/*.yml
+          if git diff --staged --quiet; then
+            echo "No changes to commit"
+          else
+            git commit -m "Update issue templates with latest releases [skip ci]"
+            git push
+          fi
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,54 +0,0 @@
-sudo: required
-
-branches:
-  except:
-    - unstable
-    - weblate
-services:
-  - docker
-
-dist: jammy
-language: node_js
-node_js:
-  - 20
-script:
-  - echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
-  - docker run --rm -u $(id -u) -v $(pwd):/app opensourcepos/composer:ci4 composer install
-  - version=$(grep application_version app/Config/App.php | sed "s/.*=\s'\(.*\)';/\1/g")
-  - cp .env.example .env && sed -i 's/production/development/g' .env
-  - sed -i "s/commit_sha1 = 'dev'/commit_sha1 = '$rev'/g" app/Config/OSPOS.php
-  - echo "$version-$branch-$rev"
-  - npm version "$version-$branch-$rev" --force || true
-  - sed -i 's/opensourcepos.tar.gz/opensourcepos.$version.tgz/g' package.json
-  - npm ci && npm install -g gulp && npm run build
-  - docker build . --target ospos -t ospos
-  - docker build . --target ospos_test -t ospos_test
-  - docker run --rm ospos_test /app/vendor/bin/phpunit --testdox
-  - docker build app/Database/ -t "jekkos/opensourcepos:sql-$TAG"
-env:
-  global:
-  - BRANCH=$(echo ${TRAVIS_BRANCH} | sed s/feature\\///)
-  - TAG=${TRAVIS_TAG:-$BRANCH}
-  - date=`date +%Y%m%d%H%M%S` && branch=${TRAVIS_BRANCH} && rev=`git rev-parse --short=6 HEAD`
-after_success:
-  - docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD" && docker tag "ospos:latest"
-    "jekkos/opensourcepos:$TAG" && docker push "jekkos/opensourcepos:$TAG" && docker push "jekkos/opensourcepos:sql-$TAG"
-  - gulp compress
-  - mv dist/opensourcepos.tar.gz "dist/opensourcepos.$version.$rev.tgz"
-  - mv dist/opensourcepos.zip "dist/opensourcepos.$version.$rev.zip"
-deploy:
-  - provider: releases
-    edge: true
-    file: dist/opensourcepos.$version.$rev.zip
-    name: "Unstable OpensourcePos"
-    overwrite: true
-    release_notes: "This is a build of the latest master which might contain bugs. Use at your own risk. Check releases section for the latest official release"
-    prerelease: true
-    tag_name: unstable
-    user: jekkos
-
-    api_key:
-      secure: "KOukL8IFf/uL/BjMyCSKjf2vylydjcWqgEx0eMqFCg3nZ4ybMaOwPORRthIfyT72/FvGX/aoxxEn0uR/AEtb+hYQXHmNS+kZdX72JCe8LpGuZ7FJ5X+Eo9mhJcsmS+smd1sC95DySSc/GolKPo+0WtJYONY/xGCLxm+9Ay4HREg="
-
-    on:
-      branch: master
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,40 @@
+# Agent Instructions
+
+This document provides guidance for AI agents working on the Open Source Point of Sale (OSPOS) codebase.
+
+## Code Style
+
+- Follow PHP CodeIgniter 4 coding standards
+- Run PHP-CS-Fixer before committing: `vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.no-header.php`
+- Write PHP 8.1+ compatible code with proper type declarations
+- Use PSR-12 naming conventions: `camelCase` for variables and functions, `PascalCase` for classes, `UPPER_CASE` for constants
+
+## Development
+
+- Create a new git worktree for each issue, based on the latest state of `origin/master`
+- Commit fixes to the worktree and push to the remote
+
+## Testing
+
+- Run PHPUnit tests: `composer test`
+- Tests must pass before submitting changes
+
+## Build
+
+- Install dependencies: `composer install && npm install`
+- Build assets: `npm run build` or `gulp`
+
+## Conventions
+
+- Controllers go in `app/Controllers/`
+- Models go in `app/Models/`
+- Views go in `app/Views/`
+- Database migrations in `app/Database/Migrations/`
+- Use CodeIgniter 4 framework patterns and helpers
+- Sanitize user input; escape output using `esc()` helper
+
+## Security
+
+- Never commit secrets, credentials, or `.env` files
+- Use parameterized queries to prevent SQL injection
+- Validate and sanitize all user input
--- a/32
+++ b/32
@@ -1,28 +1,22 @@
 FROM php:8.2-apache AS ospos
 LABEL maintainer="jekkos"

-RUN apt update && apt-get install -y libicu-dev libgd-dev
-RUN a2enmod rewrite
-RUN docker-php-ext-install mysqli bcmath intl gd
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libicu-dev \
+    libgd-dev \
+    && docker-php-ext-install mysqli bcmath intl gd \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* \
+    && a2enmod rewrite
+
 RUN echo "date.timezone = \"\${PHP_TIMEZONE}\"" > /usr/local/etc/php/conf.d/timezone.ini

 WORKDIR /app
-COPY . /app
-RUN ln -s /app/*[^public] /var/www && rm -rf /var/www/html && ln -nsf /app/public /var/www/html
-RUN chmod -R 770 /app/writable/uploads /app/writable/logs /app/writable/cache && chown -R www-data:www-data /app
-
-FROM ospos AS ospos_test
-
-COPY --from=composer /usr/bin/composer /usr/bin/composer
-
-RUN apt-get install -y libzip-dev wget git
-RUN wget https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh -O /bin/wait-for-it.sh && chmod +x /bin/wait-for-it.sh
-RUN docker-php-ext-install zip
-RUN composer install -d/app
-#RUN sed -i 's/backupGlobals="true"/backupGlobals="false"/g' /app/tests/phpunit.xml
-WORKDIR /app/tests
-
-CMD ["/app/vendor/phpunit/phpunit/phpunit", "/app/test/helpers"]
+COPY --chown=www-data:www-data . /app
+RUN chmod 770 /app/writable/uploads /app/writable/logs /app/writable/cache \
+    && ln -s /app/*[^public] /var/www \
+    && rm -rf /var/www/html \
+    && ln -nsf /app/public /var/www/html

 FROM ospos AS ospos_dev

--- a/Dockerfile.test
+++ b/Dockerfile.test
@@ -0,0 +1,3 @@
+FROM php:8.4-cli
+RUN apt-get update && apt-get install -y libicu-dev && docker-php-ext-install intl
+WORKDIR /app
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -6,22 +6,53 @@
 - Raspberry PI based installations proved to work, see [wiki page here](<https://github.com/opensourcepos/opensourcepos/wiki/Installing-on-Raspberry-PI---Orange-PI-(Headless-OSPOS)>).
 - For Windows based installations please read [the wiki](https://github.com/opensourcepos/opensourcepos/wiki). There are closed issues about this subject, as this topic has been covered a lot.

+## Security Configuration
+
+### Allowed Hostnames (Required for Production)
+
+OpenSourcePOS validates the Host header against a whitelist to prevent Host Header Injection attacks (GHSA-jchf-7hr6-h4f3). **You must configure this for production deployments.**
+
+Add the following to your `.env` file:
+
+```
+app.allowedHostnames.0 = 'yourdomain.com'
+app.allowedHostnames.1 = 'www.yourdomain.com'
+```
+
+**For local development**, use:
+```
+app.allowedHostnames.0 = 'localhost'
+```
+
+If `allowedHostnames` is not configured:
+1. A security warning will be logged
+2. The application will fall back to 'localhost' as the hostname
+3. This means URLs generated by the application (links, redirects, etc.) will point to 'localhost'
+
+### HTTPS Behind Proxy
+
+If your installation is behind a proxy with SSL offloading, set:
+```
+FORCE_HTTPS = true
+```
+
 ## Local install

-First of all, if you're seeing the message `system folder missing` after launching your browser, or cannot find `database.sql`, that most likely means you have cloned the repository and have not built the project.  To build the project from a source commit point instead of from an official release check out [Building OSPOS](BUILD.md). Otherwise, continue with the following steps.
+First of all, if you're seeing the message `system folder missing` after launching your browser, that most likely means you have cloned the repository and have not built the project. To build the project from a source commit point instead of from an official release check out [Building OSPOS](BUILD.md). Otherwise, continue with the following steps.

 1. Download the a [pre-release for a specific branch](https://github.com/opensourcepos/opensourcepos/releases) or the latest stable [from GitHub here](https://github.com/opensourcepos/opensourcepos/releases). A repository clone will not work unless know how to build the project.
 2. Create/locate a new MySQL database to install Open Source Point of Sale into.
-3. Execute the file `app/Database/database.sql` to create the tables needed.
-4. Unzip and upload Open Source Point of Sale files to the web-server.
-5. Open `.env` file and modify credentials to connect to your database if needed. (First copy .env.example to .env and update)
+3. Unzip and upload Open Source Point of Sale files to the web-server.
+4. If `.env` does not exist, copy `.env.example` to `.env`.
+5. Open `.env` and modify credentials to connect to your database if needed.
+6. The database schema will be automatically created when you first access the application. Migrations run automatically on fresh installs.
 7. Go to your install `public` dir via the browser.
 8. Log in using
   - Username: admin
   - Password: pointofsale
 9. If everything works, then set the `CI_ENVIRONMENT` variable to `production` in the .env file
-9. Enjoy!
-10. Oops, an issue? Please make sure you read the FAQ, wiki page, and you checked open and closed issues on GitHub. PHP `display_errors` is disabled by default. Create an` app/Config/.env` file from the `.env.example` to enable it in a development environment.
+10. Enjoy!
+11. Oops, an issue? Please make sure you read the FAQ, wiki page, and you checked open and closed issues on GitHub. PHP `display_errors` is disabled by default. Create an` app/Config/.env` file from the `.env.example` to enable it in a development environment.

 ## Local install using Docker

--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
 </p>

 <p align="center">
-<a href="https://app.travis-ci.com/opensourcepos/opensourcepos" target="_blank"><img src="https://api.travis-ci.com/opensourcepos/opensourcepos.svg?branch=master" alt="Build Status"></a>
+<a href="https://github.com/opensourcepos/opensourcepos/actions/workflows/build-release.yml" target="_blank"><img src="https://github.com/opensourcepos/opensourcepos/actions/workflows/build-release.yml/badge.svg" alt="Build Status"></a>
 <a href="https://app.gitter.im/#/room/#opensourcepos_Lobby:gitter.im?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge" target="_blank"><img src="https://badges.gitter.im/jekkos/opensourcepos.svg" alt="Join the chat at https://app.gitter.im"></a>
 <a href="https://badge.fury.io/gh/opensourcepos%2Fopensourcepos" target="_blank"><img src="https://badge.fury.io/gh/opensourcepos%2Fopensourcepos.svg" alt="Project Version"></a>
 <a href="https://translate.opensourcepos.org/engage/opensourcepos/?utm_source=widget" target="_blank"><img src="https://translate.opensourcepos.org/widgets/opensourcepos/-/svg-badge.svg" alt="Translation Status"></a>
@@ -137,7 +137,7 @@ Any person or company found breaching the license agreement might find a bunch o

 ## 🙏 Credits

-| <div align="center">DigitalOcean</div> | <div align="center">JetBrains</div> | <div align="center">Travis CI</div> |
+| <div align="center">DigitalOcean</div> | <div align="center">JetBrains</div> | <div align="center">GitHub</div> |
 | --- | --- | --- |
-| <div align="center"><a href="https://www.digitalocean.com?utm_medium=opensource&utm_source=opensourcepos" target="_blank"><img src="https://github.com/user-attachments/assets/fbbf7433-ed35-407d-8946-fd03d236d350" alt="DigitalOcean Logo" height="50"></a></div> | <div align="center"><a href="https://www.jetbrains.com/idea/" target="_blank"><img src="https://github.com/opensourcepos/opensourcepos/assets/12870258/187f9bbe-4484-475c-9b58-5e5d5f931f09" alt="IntelliJ IDEA Logo" height="50"></a></div> | <div align="center"><a href="https://www.travis-ci.com/" target="_blank"><img src="https://github.com/opensourcepos/opensourcepos/assets/12870258/71cc2b44-83af-4510-a543-6358285f43c6" alt="Travis CI Logo" height="50"></a></div> |
-| Many thanks to [DigitalOcean](https://www.digitalocean.com) for providing the project with hosting credits. | Many thanks to [JetBrains](https://www.jetbrains.com/) for providing a free license of [IntelliJ IDEA](https://www.jetbrains.com/idea/) to kindly support the development of OSPOS. | Many thanks to [Travis CI](https://www.travis-ci.com/) for providing a free continuous integration service for open source projects. |
+| <div align="center"><a href="https://www.digitalocean.com?utm_medium=opensource&utm_source=opensourcepos" target="_blank"><img src="https://github.com/user-attachments/assets/fbbf7433-ed35-407d-8946-fd03d236d350" alt="DigitalOcean Logo" height="50"></a></div> | <div align="center"><a href="https://www.jetbrains.com/idea/" target="_blank"><img src="https://github.com/opensourcepos/opensourcepos/assets/12870258/187f9bbe-4484-475c-9b58-5e5d5f931f09" alt="IntelliJ IDEA Logo" height="50"></a></div> | <div align="center"><a href="https://github.com/features/actions" target="_blank"><img src="https://github.githubassets.com/images/modules/site/icons/eyebrow-panel/actions-icon.svg" alt="GitHub Actions Logo" height="50"></a></div> |
+| Many thanks to [DigitalOcean](https://www.digitalocean.com) for providing the project with hosting credits. | Many thanks to [JetBrains](https://www.jetbrains.com/) for providing a free license of [IntelliJ IDEA](https://www.jetbrains.com/idea/) to kindly support the development of OSPOS. | Many thanks to [GitHub](https://github.com) for providing free continuous integration via GitHub Actions for open-source projects. |
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,9 +1,9 @@
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

-
 - [Security Policy](#security-policy)
  - [Supported Versions](#supported-versions)
+  - [Security Advisories](#security-advisories)
  - [Reporting a Vulnerability](#reporting-a-vulnerability)

 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
@@ -12,14 +12,35 @@

 ## Supported Versions

-We release patches for security vulnerabilities. Which versions are eligible to receive such patches depend on the CVSS v3.0 Rating:
+We release patches for security vulnerabilities.

-| CVSS v3.0 | Supported Versions                                 |
-| --------- | -------------------------------------------------- |
-| 7.3       | 3.3.5                                              |
-| 9.8       | 3.3.6                                              |
-| 6.8       | 3.4.2                                              |
+| Version   | Supported          |
+| --------- | ------------------ |
+| >= 3.4.2  | :white_check_mark: |
+| < 3.4.2   | :x:                |
+
+## Security Advisories
+
+The following security vulnerabilities have been published:
+
+### High Severity
+
+| CVE | Vulnerability | CVSS | Published | Fixed In | Credit |
+|-----|--------------|------|-----------|----------|--------|
+| [CVE-2025-68434](https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-wjm4-hfwg-5w5r) | CSRF leading to Admin Creation | 8.8 | 2025-12-17 | 3.4.2 | @Nixon-H, @jekkos |
+| [CVE-2025-68147](https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh) | Stored XSS in Return Policy | 8.1 | 2025-12-17 | 3.4.2 | @Nixon-H, @jekkos |
+| [CVE-2025-66924](https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-gv8j-f6gq-g59m) | Stored XSS in Item Kits | 7.2 | 2026-03-04 | 3.4.2 | @hungnqdz, @omkaryepre |
+
+### Medium Severity
+
+| CVE | Vulnerability | CVSS | Published | Fixed In | Credit |
+|-----|--------------|------|-----------|----------|--------|
+| [CVE-2025-68658](https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-32r8-8r9r-9chw) | Stored XSS in Company Name | 4.3 | 2026-01-13 | 3.4.2 | @hungnqdz |
+
+For a complete list including draft advisories, see our [GitHub Security Advisories page](https://github.com/opensourcepos/opensourcepos/security/advisories).

 ## Reporting a Vulnerability

-Please report (suspected) security vulnerabilities to **[jeroen@steganos.dev](mailto:jeroen@steganos.dev)**. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
+Please report (suspected) security vulnerabilities to **[jeroen@steganos.dev](mailto:jeroen@steganos.dev)**. 
+
+You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
--- a/app/Config/App.php
+++ b/app/Config/App.php
@@ -55,13 +55,21 @@ class App extends BaseConfig
    public string $baseURL;    // Defined in the constructor

    /**
-     * Allowed Hostnames in the Site URL other than the hostname in the baseURL.
-     * If you want to accept multiple Hostnames, set this.
-     *
-     * E.g.,
-     * When your site URL ($baseURL) is 'http://example.com/', and your site
-     * also accepts 'http://media.example.com/' and 'http://accounts.example.com/':
-     *     ['media.example.com', 'accounts.example.com']
+     * Allowed Hostnames for the Site URL.
+     * 
+     * Security: This is used to validate the HTTP Host header to prevent
+     * Host Header Injection attacks. If the Host header doesn't match
+     * an entry in this list, the request will use the first allowed hostname.
+     * 
+     * IMPORTANT: This MUST be configured for production deployments.
+     * If empty, the application will fall back to 'localhost'.
+     * 
+     * Configure via .env file:
+     *   app.allowedHostnames.0 = 'example.com'
+     *   app.allowedHostnames.1 = 'www.example.com'
+     * 
+     * For local development:
+     *   app.allowedHostnames.0 = 'localhost'
     *
     * @var list<string>
     */
@@ -284,8 +292,44 @@ class App extends BaseConfig
    {
        parent::__construct();
        $this->https_on = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (isset($_ENV['FORCE_HTTPS']) && $_ENV['FORCE_HTTPS'] == 'true');
+        
+        $host = $this->getValidHost();
        $this->baseURL = $this->https_on ? 'https' : 'http';
-        $this->baseURL .= '://' . ((isset($_SERVER['HTTP_HOST'])) ? $_SERVER['HTTP_HOST'] : 'localhost') . '/';
+        $this->baseURL .= '://' . $host . '/';
        $this->baseURL .= str_replace(basename($_SERVER['SCRIPT_NAME']), '', $_SERVER['SCRIPT_NAME']);
    }
+
+    /**
+     * Validates and returns a trusted hostname.
+     * 
+     * Security: Prevents Host Header Injection attacks (GHSA-jchf-7hr6-h4f3)
+     * by validating the HTTP_HOST against a whitelist of allowed hostnames.
+     * 
+     * @return string A validated hostname
+     */
+    private function getValidHost(): string
+    {
+        $httpHost = $_SERVER['HTTP_HOST'] ?? 'localhost';
+
+        if (empty($this->allowedHostnames)) {
+            log_message('warning', 
+                'Security: allowedHostnames is not configured. ' .
+                'Host header injection protection is disabled. ' .
+                'Please set app.allowedHostnames in your .env file. ' .
+                'Received Host: ' . $httpHost
+            );
+            return 'localhost';
+        }
+
+        if (in_array($httpHost, $this->allowedHostnames, true)) {
+            return $httpHost;
+        }
+
+        log_message('warning', 
+            'Security: Rejected HTTP_HOST "' . $httpHost . '" - not in allowedHostnames whitelist. ' .
+            'Using fallback: ' . $this->allowedHostnames[0]
+        );
+
+        return $this->allowedHostnames[0];
+    }
 }
--- a/app/Config/Boot/testing.php
+++ b/app/Config/Boot/testing.php
@@ -1,38 +1,23 @@
 <?php

-/*
- * The environment testing is reserved for PHPUnit testing. It has special
- * conditions built into the framework at various places to assist with that.
- * You can’t use it for your development.
- */
-
 /*
 |--------------------------------------------------------------------------
- | ERROR DISPLAY
+| ERROR DISPLAY
 |--------------------------------------------------------------------------
- | In development, we want to show as many errors as possible to help
- | make sure they don't make it to production. And save us hours of
- | painful debugging.
- */
+*/
 error_reporting(E_ALL);
 ini_set('display_errors', '1');

 /*
 |--------------------------------------------------------------------------
- | DEBUG BACKTRACES
+| DEBUG BACKTRACES
 |--------------------------------------------------------------------------
- | If true, this constant will tell the error screens to display debug
- | backtraces along with the other error information. If you would
- | prefer to not see this, set this value to false.
- */
+*/
 defined('SHOW_DEBUG_BACKTRACE') || define('SHOW_DEBUG_BACKTRACE', true);

 /*
 |--------------------------------------------------------------------------
- | DEBUG MODE
+| DEBUG MODE
 |--------------------------------------------------------------------------
- | Debug mode is an experimental flag that can allow changes throughout
- | the system. It's not widely used currently, and may not survive
- | release of the framework.
- */
-defined('CI_DEBUG') || define('CI_DEBUG', true);
+*/
+defined('CI_DEBUG') || define('CI_DEBUG', true);
--- a/app/Config/Constants.php
+++ b/app/Config/Constants.php
@@ -169,3 +169,8 @@ const MAX_PRECISION = 1e14;
 const DEFAULT_PRECISION = 2;
 const DEFAULT_LANGUAGE = 'english';
 const DEFAULT_LANGUAGE_CODE = 'en';
+
+/**
+ * Admin modules - list of modules required for admin privileges
+ */
+const ADMIN_MODULES = ['customers', 'employees', 'giftcards', 'items', 'item_kits', 'messages', 'receivings', 'reports', 'sales', 'config', 'suppliers'];
--- a/app/Config/Filters.php
+++ b/app/Config/Filters.php
@@ -100,9 +100,25 @@ class Filters extends BaseFilters
     * before or after URI patterns.
     *
     * Example:
-     * 'isLoggedIn' => ['before' => ['account/*', 'profiles/*']]
+     * isLoggedIn' => ['before' => ['account/*', 'profiles/*']]
     *
     * @var array<string, array<string, list<string>>>
     */
    public array $filters = [];
+
+    /**
+     * Constructor to conditionally disable CSRF filter in testing environment
+     */
+    public function __construct()
+    {
+        // Check for testing environment via env variable or constant
+        $isTesting = ($_ENV['CI_ENVIRONMENT'] ?? $_SERVER['CI_ENVIRONMENT'] ?? getenv('CI_ENVIRONMENT')) === 'testing'
+            || (defined('ENVIRONMENT') && ENVIRONMENT === 'testing');
+
+        // Remove CSRF filter from globals in testing environment
+        if ($isTesting) {
+            // Remove the 'csrf' key from $globals['before'] while preserving array structure
+            $this->globals['before'] = array_filter($this->globals['before'], static fn($key) => $key !== 'csrf', ARRAY_FILTER_USE_KEY);
+        }
+    }
 }
--- a/app/Config/Routes.php
+++ b/app/Config/Routes.php
@@ -11,6 +11,10 @@ $routes->get('/', 'Login::index');
 $routes->get('login', 'Login::index');
 $routes->post('login', 'Login::index');

+// Payment provider webhook routes (no authentication required)
+$routes->post('payments/webhook/(:segment)', 'Payments\Webhook::handle/$1');
+$routes->get('payments/status/(:segment)/(:segment)', 'Payments\Webhook::status/$1/$2');
+
 $routes->add('no_access/index/(:segment)', 'No_access::index/$1');
 $routes->add('no_access/index/(:segment)/(:segment)', 'No_access::index/$1/$2');

--- a/app/Config/Security.php
+++ b/app/Config/Security.php
@@ -13,9 +13,9 @@ class Security extends BaseConfig
     *
     * Protection Method for Cross Site Request Forgery protection.
     *
-     * @var string 'cookie' or 'session'
+     * @var string|false 'cookie', 'session', or false
     */
-    public string $csrfProtection = 'session';
+    public string|false $csrfProtection = 'session';

    /**
     * --------------------------------------------------------------------------
--- a/app/Controllers/Attributes.php
+++ b/app/Controllers/Attributes.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Attribute;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;

 require_once('Secure_Controller.php');
@@ -24,19 +25,19 @@ class Attributes extends Secure_Controller
    /**
     * Gets and sends the main view for Attributes to the browser.
     *
-     * @return void
+     * @return string
     **/
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_attribute_definition_manage_table_headers();

-        echo view('attributes/manage', $data);
+        return view('attributes/manage', $data);
    }

    /**
     * Returns attribute table data rows. This will be called with AJAX.
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit  = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -53,15 +54,15 @@ class Attributes extends Secure_Controller
            $data_rows[] = get_attribute_definition_data_row($attribute_row);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * AJAX called function which saves the attribute value sent via POST by using the model save function.
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveAttributeValue(): void
+    public function postSaveAttributeValue(): ResponseInterface
    {
        $success = $this->attribute->saveAttributeValue(
            html_entity_decode($this->request->getPost('attribute_value')),
@@ -70,32 +71,32 @@ class Attributes extends Secure_Controller
            $this->request->getPost('attribute_id', FILTER_SANITIZE_NUMBER_INT) ?? false
        );

-        echo json_encode(['success' => $success != 0]);
+        return $this->response->setJSON(['success' => $success != 0]);
    }

    /**
     * AJAX called function deleting an attribute value using the model delete function.
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postDeleteDropdownAttributeValue(): void
+    public function postDeleteDropdownAttributeValue(): ResponseInterface
    {
        $success = $this->attribute->deleteDropdownAttributeValue(
            html_entity_decode($this->request->getPost('attribute_value')),
            $this->request->getPost('definition_id', FILTER_SANITIZE_NUMBER_INT)
        );

-        echo json_encode(['success' => $success]);
+        return $this->response->setJSON(['success' => $success]);
    }

    /**
     * AJAX called function which saves the attribute definition.
     *
     * @param int $definition_id
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveDefinition(int $definition_id = NO_DEFINITION_ID): void
+    public function postSaveDefinition(int $definition_id = NO_DEFINITION_ID): ResponseInterface
    {
        $definition_flags = 0;

@@ -105,12 +106,24 @@ class Attributes extends Secure_Controller
            $definition_flags |= $flag;
        }

+        // Validate definition_group (definition_fk) foreign key
+        $definition_group_input = $this->request->getPost('definition_group');
+        $definition_fk = $this->validateDefinitionGroup($definition_group_input);
+
+        if ($definition_fk === false) {
+            return $this->response->setJSON([
+                'success' => false,
+                'message' => lang('Attributes.definition_invalid_group'),
+                'id'      => NEW_ENTRY
+            ]);
+        }
+
        // Save definition data
        $definition_data = [
            'definition_name'  => $this->request->getPost('definition_name'),
            'definition_unit'  => $this->request->getPost('definition_unit') != '' ? $this->request->getPost('definition_unit') : null,
            'definition_flags' => $definition_flags,
-            'definition_fk'    => $this->request->getPost('definition_group') != '' ? $this->request->getPost('definition_group') : null
+            'definition_fk'    => $definition_fk
        ];

        if ($this->request->getPost('definition_type') != null) {
@@ -128,20 +141,20 @@ class Attributes extends Secure_Controller
                    $this->attribute->saveAttributeValue($definition_value, $definition_data['definition_id']);
                }

-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Attributes.definition_successful_adding') . ' ' . $definition_name,
                    'id'      => $definition_data['definition_id']
                ]);
            } else { // Existing definition
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Attributes.definition_successful_updating') . ' ' . $definition_name,
                    'id'      => $definition_id
                ]);
            }
        } else { // Failure
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Attributes.definition_error_adding_updating', [$definition_name]),
                'id'      => NEW_ENTRY
@@ -149,30 +162,56 @@ class Attributes extends Secure_Controller
        }
    }

+    /**
+     * Validates a definition_group foreign key.
+     * Returns the validated integer ID, null if empty, or false if invalid.
+     *
+     * @param mixed $definition_group_input
+     * @return int|null|false
+     */
+    private function validateDefinitionGroup(mixed $definition_group_input): int|null|false
+    {
+        if ($definition_group_input === '' || $definition_group_input === null) {
+            return null;
+        }
+
+        $definition_group_id = (int) $definition_group_input;
+
+        // Must be a positive integer, exist in attribute_definitions, and be of type GROUP
+        if ($definition_group_id <= 0
+            || !$this->attribute->exists($definition_group_id)
+            || $this->attribute->getAttributeInfo($definition_group_id)->definition_type !== GROUP
+        ) {
+            return false;
+        }
+
+        return $definition_group_id;
+    }
+
    /**
     *
     * @param int $definition_id
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSuggestAttribute(int $definition_id): void
+    public function getSuggestAttribute(int $definition_id): ResponseInterface
    {
        $suggestions = $this->attribute->get_suggestions($definition_id, html_entity_decode($this->request->getGet('term')));

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $attribute_definition_info = $this->attribute->getAttributeInfo($row_id);
        $attribute_definition_info->definition_flags = $this->get_attributes($attribute_definition_info->definition_flags);
        $data_row = get_attribute_definition_data_row($attribute_definition_info);

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
@@ -192,9 +231,9 @@ class Attributes extends Secure_Controller

    /**
     * @param int $definition_id
-     * @return void
+     * @return string
     */
-    public function getView(int $definition_id = NO_DEFINITION_ID): void
+    public function getView(int $definition_id = NO_DEFINITION_ID): string
    {
        $info = $this->attribute->getAttributeInfo($definition_id);
        foreach (get_object_vars($info) as $property => $value) {
@@ -212,22 +251,22 @@ class Attributes extends Secure_Controller
        $selected_flags = $info->definition_flags === '' ? $show_all : $info->definition_flags;
        $data['selected_definition_flags'] = $this->get_attributes($selected_flags);

-        echo view('attributes/form', $data);
+        return view('attributes/form', $data);
    }

    /**
     * Deletes an attribute definition
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $attributes_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

        if($this->attribute->deleteDefinitionList($attributes_to_delete)) {
            $message = lang('Attributes.definition_successful_deleted') . ' ' . count($attributes_to_delete) . ' ' . lang('Attributes.definition_one_or_multiple');
-            echo json_encode(['success' => true, 'message' => $message]);
+            return $this->response->setJSON(['success' => true, 'message' => $message]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Attributes.definition_cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Attributes.definition_cannot_be_deleted')]);
        }
    }
 }
--- a/app/Controllers/Cashups.php
+++ b/app/Controllers/Cashups.php
@@ -5,6 +5,7 @@ namespace App\Controllers;
 use App\Models\Cashup;
 use App\Models\Expense;
 use App\Models\Reports\Summary_payments;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\OSPOS;
 use Config\Services;

@@ -26,22 +27,25 @@ class Cashups extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_cashups_manage_table_headers();

        // filters that will be loaded in the multiselect dropdown
        $data['filters'] = ['is_deleted' => lang('Cashups.is_deleted')];

-        echo view('cashups/manage', $data);
+        // Restore filters from URL
+        $data = array_merge($data, restoreTableFilters($this->request));
+
+        return view('cashups/manage', $data);
    }

    /**
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -64,14 +68,14 @@ class Cashups extends Secure_Controller
            $data_rows[] = get_cash_up_data_row($cash_up);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * @param int $cashup_id
-     * @return void
+     * @return string
     */
-    public function getView(int $cashup_id = NEW_ENTRY): void
+    public function getView(int $cashup_id = NEW_ENTRY): string
    {
        $data = [];

@@ -180,26 +184,26 @@ class Cashups extends Secure_Controller

        $data['cash_ups_info'] = $cash_ups_info;

-        echo view("cashups/form", $data);
+        return view("cashups/form", $data);
    }

    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $cash_ups_info = $this->cashup->get_info($row_id);
        $data_row = get_cash_up_data_row($cash_ups_info);

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @param int $cashup_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $cashup_id = NEW_ENTRY): void
+    public function postSave(int $cashup_id = NEW_ENTRY): ResponseInterface
    {
        $open_date = $this->request->getPost('open_date');
        $open_date_formatter = date_create_from_format($this->config['dateformat'] . ' ' . $this->config['timeformat'], $open_date);
@@ -227,36 +231,36 @@ class Cashups extends Secure_Controller
        if ($this->cashup->save_value($cash_up_data, $cashup_id)) {
            // New cashup_id
            if ($cashup_id == NEW_ENTRY) {
-                echo json_encode(['success' => true, 'message' => lang('Cashups.successful_adding'), 'id' => $cash_up_data['cashup_id']]);
+                return $this->response->setJSON(['success' => true, 'message' => lang('Cashups.successful_adding'), 'id' => $cash_up_data['cashup_id']]);
            } else { // Existing Cashup
-                echo json_encode(['success' => true, 'message' => lang('Cashups.successful_updating'), 'id' => $cashup_id]);
+                return $this->response->setJSON(['success' => true, 'message' => lang('Cashups.successful_updating'), 'id' => $cashup_id]);
            }
        } else { // Failure
-            echo json_encode(['success' => false, 'message' => lang('Cashups.error_adding_updating'), 'id' => NEW_ENTRY]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Cashups.error_adding_updating'), 'id' => NEW_ENTRY]);
        }
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $cash_ups_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

        if ($this->cashup->delete_list($cash_ups_to_delete)) {
-            echo json_encode(['success' => true, 'message' => lang('Cashups.successful_deleted') . ' ' . count($cash_ups_to_delete) . ' ' . lang('Cashups.one_or_multiple'), 'ids' => $cash_ups_to_delete]);
+            return $this->response->setJSON(['success' => true, 'message' => lang('Cashups.successful_deleted') . ' ' . count($cash_ups_to_delete) . ' ' . lang('Cashups.one_or_multiple'), 'ids' => $cash_ups_to_delete]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Cashups.cannot_be_deleted'), 'ids' => $cash_ups_to_delete]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Cashups.cannot_be_deleted'), 'ids' => $cash_ups_to_delete]);
        }
    }

    /**
     * Calculate the total for cashups. Used in app\Views\cashups\form.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postAjax_cashup_total(): void
+    public function postAjax_cashup_total(): ResponseInterface
    {
        $open_amount_cash = parse_decimals($this->request->getPost('open_amount_cash'));
        $transfer_amount_cash = parse_decimals($this->request->getPost('transfer_amount_cash'));
@@ -267,7 +271,7 @@ class Cashups extends Secure_Controller

        $total = $this->_calculate_total($open_amount_cash, $transfer_amount_cash, $closed_amount_due, $closed_amount_cash, $closed_amount_card, $closed_amount_check);    // TODO: hungarian notation

-        echo json_encode(['total' => to_currency_no_money($total)]);
+        return $this->response->setJSON(['total' => to_currency_no_money($total)]);
    }

    /**
--- a/app/Controllers/Config.php
+++ b/app/Controllers/Config.php
@@ -11,12 +11,14 @@ use App\Models\Appconfig;
 use App\Models\Attribute;
 use App\Models\Customer_rewards;
 use App\Models\Dinner_table;
+use App\Models\Item;
 use App\Models\Module;
 use App\Models\Enums\Rounding_mode;
 use App\Models\Stock_location;
 use App\Models\Tax;
 use CodeIgniter\Database\BaseConnection;
 use CodeIgniter\Encryption\EncrypterInterface;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Database;
 use Config\OSPOS;
 use Config\Services;
@@ -215,8 +217,9 @@ class Config extends Secure_Controller
    }

    /**
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['stock_locations'] = $this->stock_location->get_all()->getResultArray();
        $data['dinner_tables'] = $this->dinner_table->get_all()->getResultArray();
@@ -224,6 +227,7 @@ class Config extends Secure_Controller
        $data['support_barcode'] = $this->barcode_lib->get_list_barcodes();
        $data['barcode_fonts'] = $this->barcode_lib->listfonts('fonts');
        $data['logo_exists'] = $this->config['company_logo'] != '';
+        $data['logo_src'] = !empty($this->config['company_logo']) ? base_url('uploads/' . $this->config['company_logo']) : '';
        $data['line_sequence_options'] = $this->sale_lib->get_line_sequence_options();
        $data['register_mode_options'] = $this->sale_lib->get_register_mode_options();
        $data['invoice_type_options'] = $this->sale_lib->get_invoice_type_options();
@@ -272,17 +276,17 @@ class Config extends Secure_Controller

        $data['mailchimp']['lists'] = $this->_mailchimp();

-        echo view('configs/manage', $data);
+        return view('configs/manage', $data);
    }

    /**
     * Saves company information. Used in app/Views/configs/info_config.php
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveInfo(): void
+    public function postSaveInfo(): ResponseInterface
    {
        $upload_data = $this->upload_logo();
        $upload_success = empty($upload_data['error']);
@@ -306,7 +310,7 @@ class Config extends Secure_Controller
        $message = lang('Config.saved_' . ($success ? '' : 'un') . 'successfully');
        $message = $upload_success ? $message : strip_tags($upload_data['error']);

-        echo json_encode(['success' => $success, 'message' => $message]);
+        return $this->response->setJSON(['success' => $success, 'message' => $message]);
    }


@@ -358,9 +362,10 @@ class Config extends Secure_Controller
     * Saves general configuration. Used in app/Views/configs/general_config.php
     *
     * @throws ReflectionException
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveGeneral(): void
+    public function postSaveGeneral(): ResponseInterface
    {
        $batch_save_data = [
            'theme'                             => $this->request->getPost('theme'),
@@ -381,9 +386,9 @@ class Config extends Secure_Controller
            'gcaptcha_enable'                   => $this->request->getPost('gcaptcha_enable') != null,
            'gcaptcha_secret_key'               => $this->request->getPost('gcaptcha_secret_key'),
            'gcaptcha_site_key'                 => $this->request->getPost('gcaptcha_site_key'),
-            'suggestions_first_column'          => $this->request->getPost('suggestions_first_column'),
-            'suggestions_second_column'         => $this->request->getPost('suggestions_second_column'),
-            'suggestions_third_column'          => $this->request->getPost('suggestions_third_column'),
+            'suggestions_first_column'          => $this->validateSuggestionsColumn($this->request->getPost('suggestions_first_column'), 'first'),
+            'suggestions_second_column'         => $this->validateSuggestionsColumn($this->request->getPost('suggestions_second_column'), 'other'),
+            'suggestions_third_column'          => $this->validateSuggestionsColumn($this->request->getPost('suggestions_third_column'), 'other'),
            'giftcard_number'                   => $this->request->getPost('giftcard_number'),
            'derive_sale_quantity'              => $this->request->getPost('derive_sale_quantity') != null,
            'multi_pack_enabled'                => $this->request->getPost('multi_pack_enabled') != null,
@@ -407,16 +412,16 @@ class Config extends Secure_Controller

        $success = $this->appconfig->batch_save($batch_save_data);

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Checks a number against the currently selected locale. Used in app/Views/configs/locale_config.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postCheckNumberLocale(): void
+    public function postCheckNumberLocale(): ResponseInterface
    {
        $number_locale = $this->request->getPost('number_locale');
        $save_number_locale = $this->request->getPost('save_number_locale');
@@ -438,7 +443,7 @@ class Config extends Secure_Controller
        $fmt->setSymbol(NumberFormatter::CURRENCY_SYMBOL, $currency_symbol);
        $number_local_example = $fmt->format(1234567890.12300);

-        echo json_encode([
+        return $this->response->setJSON([
            'success'               => $number_local_example != false,
            'save_number_locale'    => $save_number_locale,
            'number_locale_example' => $number_local_example,
@@ -451,14 +456,15 @@ class Config extends Secure_Controller
     * Saves locale configuration. Used in app/Views/configs/locale_config.php
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveLocale(): void
+    public function postSaveLocale(): ResponseInterface
    {
        $exploded = explode(":", $this->request->getPost('language'));
+        $currency_symbol = $this->request->getPost('currency_symbol');
        $batch_save_data = [
-            'currency_symbol'       => $this->request->getPost('currency_symbol'),
+            'currency_symbol'       => htmlspecialchars($currency_symbol ?? ''),
            'currency_code'         => $this->request->getPost('currency_code'),
            'language_code'         => $exploded[0],
            'language'              => $exploded[1],
@@ -480,17 +486,17 @@ class Config extends Secure_Controller

        $success = $this->appconfig->batch_save($batch_save_data);

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Saves email configuration. Used in app/Views/configs/email_config.php
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveEmail(): void
+    public function postSaveEmail(): ResponseInterface
    {
        $password = '';

@@ -511,17 +517,17 @@ class Config extends Secure_Controller

        $success = $this->appconfig->batch_save($batch_save_data);

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Saves SMS message configuration. Used in app/Views/configs/message_config.php.
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveMessage(): void
+    public function postSaveMessage(): ResponseInterface
    {
        $password = '';

@@ -538,7 +544,7 @@ class Config extends Secure_Controller

        $success = $this->appconfig->batch_save($batch_save_data);

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
@@ -565,15 +571,15 @@ class Config extends Secure_Controller
    /**
     * Gets Mailchimp lists when a valid API key is inserted. Used in app/Views/configs/integrations_config.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postCheckMailchimpApiKey(): void
+    public function postCheckMailchimpApiKey(): ResponseInterface
    {
        $lists = $this->_mailchimp($this->request->getPost('mailchimp_api_key'));
        $success = count($lists) > 0;

-        echo json_encode([
+        return $this->response->setJSON([
            'success'         => $success,
            'message'         => lang('Config.mailchimp_key_' . ($success ? '' : 'un') . 'successfully'),
            'mailchimp_lists' => $lists
@@ -584,10 +590,10 @@ class Config extends Secure_Controller
     * Saves Mailchimp configuration. Used in app/Views/configs/integrations_config.php
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveMailchimp(): void
+    public function postSaveMailchimp(): ResponseInterface
    {
        $api_key = '';
        $list_id = '';
@@ -608,56 +614,56 @@ class Config extends Secure_Controller

        $success = $this->appconfig->batch_save($batch_save_data);

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Gets all stock locations. Used in app/Views/configs/stock_config.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getStockLocations(): void
+    public function getStockLocations(): string
    {
        $stock_locations = $this->stock_location->get_all()->getResultArray();

-        echo view('partial/stock_locations', ['stock_locations' => $stock_locations]);
+        return view('partial/stock_locations', ['stock_locations' => $stock_locations]);
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getDinnerTables(): void
+    public function getDinnerTables(): string
    {
        $dinner_tables = $this->dinner_table->get_all()->getResultArray();

-        echo view('partial/dinner_tables', ['dinner_tables' => $dinner_tables]);
+        return view('partial/dinner_tables', ['dinner_tables' => $dinner_tables]);
    }


    /**
     * Gets all tax categories.
     *
-     * @return void
+     * @return string
     */
-    public function ajax_tax_categories(): void    // TODO: Is this function called anywhere in the code?
+    public function ajax_tax_categories(): string    // TODO: Is this function called anywhere in the code?
    {
        $tax_categories = $this->tax->get_all_tax_categories()->getResultArray();

-        echo view('partial/tax_categories', ['tax_categories' => $tax_categories]);
+        return view('partial/tax_categories', ['tax_categories' => $tax_categories]);
    }

    /**
     * Gets all customer rewards. Used in app/Views/configs/reward_config.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getCustomerRewards(): void
+    public function getCustomerRewards(): string
    {
        $customer_rewards = $this->customer_rewards->get_all()->getResultArray();

-        echo view('partial/customer_rewards', ['customer_rewards' => $customer_rewards]);
+        return view('partial/customer_rewards', ['customer_rewards' => $customer_rewards]);
    }

    /**
@@ -677,10 +683,10 @@ class Config extends Secure_Controller
    /**
     * Saves stock locations. Used in app/Views/configs/stock_config.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveLocations(): void
+    public function postSaveLocations(): ResponseInterface
    {
        $this->db->transStart();

@@ -712,17 +718,17 @@ class Config extends Secure_Controller

        $success = $this->db->transStatus();

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Saves all dinner tables. Used in app/Views/configs/table_config.php
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveTables(): void
+    public function postSaveTables(): ResponseInterface
    {
        $this->db->transStart();

@@ -759,17 +765,17 @@ class Config extends Secure_Controller

        $success = $this->db->transStatus();

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Saves tax configuration. Used in app/Views/configs/tax_config.php
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveTax(): void
+    public function postSaveTax(): ResponseInterface
    {
        $default_tax_1_rate = $this->request->getPost('default_tax_1_rate');
        $default_tax_2_rate = $this->request->getPost('default_tax_2_rate');
@@ -791,17 +797,17 @@ class Config extends Secure_Controller

        $message = lang('Config.saved_' . ($success ? '' : 'un') . 'successfully');

-        echo json_encode(['success' => $success, 'message' => $message]);
+        return $this->response->setJSON(['success' => $success, 'message' => $message]);
    }

    /**
     * Saves customer rewards configuration. Used in app/Views/configs/reward_config.php
     *
-     * @throws ReflectionException
-     * @return void
-     * @noinspection PhpUnused
-     */
-    public function postSaveRewards(): void
+      * @throws ReflectionException
+      * @return ResponseInterface
+      * @noinspection PhpUnused
+      */
+    public function postSaveRewards(): ResponseInterface
    {
        $this->db->transStart();

@@ -845,17 +851,17 @@ class Config extends Secure_Controller

        $success = $this->db->transStatus();

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Saves barcode configuration. Used in app/Views/configs/barcode_config.php
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveBarcode(): void
+    public function postSaveBarcode(): ResponseInterface
    {
        $batch_save_data = [
            'barcode_type'              => $this->request->getPost('barcode_type'),
@@ -877,17 +883,17 @@ class Config extends Secure_Controller

        $success = $this->appconfig->batch_save($batch_save_data);

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Saves receipt configuration. Used in app/Views/configs/receipt_config.php.
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveReceipt(): void
+    public function postSaveReceipt(): ResponseInterface
    {
        $batch_save_data = [
            'receipt_template'              => $this->request->getPost('receipt_template'),
@@ -912,17 +918,17 @@ class Config extends Secure_Controller

        $success = $this->appconfig->batch_save($batch_save_data);

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Saves invoice configuration. Used in app/Views/configs/invoice_config.php.
     *
     * @throws ReflectionException
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSaveInvoice(): void
+    public function postSaveInvoice(): ResponseInterface
    {
        $batch_save_data = [
            'invoice_enable'              => $this->request->getPost('invoice_enable') != null,
@@ -938,7 +944,9 @@ class Config extends Secure_Controller
            'work_order_enable'           => $this->request->getPost('work_order_enable') != null,
            'work_order_format'           => $this->request->getPost('work_order_format'),
            'last_used_work_order_number' => $this->request->getPost('last_used_work_order_number', FILTER_SANITIZE_NUMBER_INT),
-            'invoice_type'                => $this->request->getPost('invoice_type')
+            'invoice_type'                => Sale_lib::isValidInvoiceType($this->request->getPost('invoice_type')) 
+                ? $this->request->getPost('invoice_type') 
+                : 'invoice'
        ];

        $success = $this->appconfig->batch_save($batch_save_data);
@@ -953,20 +961,42 @@ class Config extends Secure_Controller
            }
        }

-        echo json_encode(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
+        return $this->response->setJSON(['success' => $success, 'message' => lang('Config.saved_' . ($success ? '' : 'un') . 'successfully')]);
    }

    /**
     * Removes the company logo from the database. Used in app/Views/configs/info_config.php.
     *
-     * @return void
+     * @return ResponseInterface
     * @throws ReflectionException
     * @noinspection PhpUnused
     */
-    public function postRemoveLogo(): void
+    public function postRemoveLogo(): ResponseInterface
    {
        $success = $this->appconfig->save(['company_logo' => '']);

-        echo json_encode(['success' => $success]);
+        return $this->response->setJSON(['success' => $success]);
+    }
+
+    /**
+     * Validates suggestions column configuration to prevent SQL injection.
+     *
+     * @param mixed $column The column value from POST
+     * @param string $fieldType Either 'first' or 'other' to determine default fallback
+     * @return string Validated column name
+     */
+    private function validateSuggestionsColumn(mixed $column, string $fieldType): string
+    {
+        if (!is_string($column)) {
+            return $fieldType === 'first' ? 'name' : '';
+        }
+
+        $allowed = $fieldType === 'first' 
+            ? Item::ALLOWED_SUGGESTIONS_COLUMNS 
+            : Item::ALLOWED_SUGGESTIONS_COLUMNS_WITH_EMPTY;
+
+        $fallback = $fieldType === 'first' ? 'name' : '';
+
+        return in_array($column, $allowed, true) ? $column : $fallback;
    }
 }
--- a/app/Controllers/Customers.php
+++ b/app/Controllers/Customers.php
@@ -8,6 +8,7 @@ use App\Models\Customer;
 use App\Models\Customer_rewards;
 use App\Models\Tax_code;
 use CodeIgniter\HTTP\DownloadResponse;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\OSPOS;
 use Config\Services;
 use stdClass;
@@ -40,19 +41,20 @@ class Customers extends Persons
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_customer_manage_table_headers();

-        echo view('people/manage', $data);
+        return view('people/manage', $data);
    }

    /**
     * Gets one row for a customer manage table. This is called using AJAX to update one row.
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $person = $this->customer->get_info($row_id);

@@ -72,7 +74,7 @@ class Customers extends Persons

        $data_row = get_customer_data_row($person, $stats);

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }


@@ -81,7 +83,7 @@ class Customers extends Persons
     *
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -111,35 +113,37 @@ class Customers extends Persons
            $data_rows[] = get_customer_data_row($person, $stats);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * Gives search suggestions based on what is being searched for
+     * @return ResponseInterface
     */
-    public function getSuggest(): void
+    public function getSuggest(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->customer->get_search_suggestions($search);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function suggest_search(): void
+    public function suggest_search(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->customer->get_search_suggestions($search, 25, false);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Loads the customer edit form
+     * @return string
     */
-    public function getView(int $customer_id = NEW_ENTRY): void
+    public function getView(int $customer_id = NEW_ENTRY): string
    {
        // Set default values
        if ($customer_id == null) $customer_id = NEW_ENTRY;
@@ -227,13 +231,14 @@ class Customers extends Persons
            }
        }

-        echo view("customers/form", $data);
+        return view("customers/form", $data);
    }

    /**
     * Inserts/updates a customer
+     * @return ResponseInterface
     */
-    public function postSave(int $customer_id = NEW_ENTRY): void
+    public function postSave(int $customer_id = NEW_ENTRY): ResponseInterface
    {
        $first_name = $this->request->getPost('first_name');
        $last_name = $this->request->getPost('last_name');
@@ -288,20 +293,20 @@ class Customers extends Persons

            // New customer
            if ($customer_id == NEW_ENTRY) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Customers.successful_adding') . ' ' . $first_name . ' ' . $last_name,
                    'id'      => $customer_data['person_id']
                ]);
            } else { // Existing customer
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Customers.successful_updating') . ' ' . $first_name . ' ' . $last_name,
                    'id'      => $customer_id
                ]);
            }
        } else { // Failure
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Customers.error_adding_updating') . ' ' . $first_name . ' ' . $last_name,
                'id'      => NEW_ENTRY
@@ -312,36 +317,37 @@ class Customers extends Persons
    /**
     * Verifies if an email address already exists. Used in app/Views/customers/form.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postCheckEmail(): void
+    public function postCheckEmail(): ResponseInterface
    {
        $email = strtolower($this->request->getPost('email', FILTER_SANITIZE_EMAIL));
        $person_id = $this->request->getPost('person_id', FILTER_SANITIZE_NUMBER_INT);

        $exists = $this->customer->check_email_exists($email, $person_id);

-        echo !$exists ? 'true' : 'false';
+        return $this->response->setJSON(!$exists ? 'true' : 'false');
    }

    /**
     * Verifies if an account number already exists. Used in app/Views/customers/form.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postCheckAccountNumber(): void
+    public function postCheckAccountNumber(): ResponseInterface
    {
        $exists = $this->customer->check_account_number_exists($this->request->getPost('account_number'), $this->request->getPost('person_id', FILTER_SANITIZE_NUMBER_INT));

-        echo !$exists ? 'true' : 'false';
+        return $this->response->setJSON(!$exists ? 'true' : 'false');
    }

    /**
     * This deletes customers from the customers table
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $customers_to_delete = $this->request->getPost('ids');
        $customers_info = $this->customer->get_multiple_info($customers_to_delete);
@@ -358,12 +364,12 @@ class Customers extends Persons
        }

        if ($count == count($customers_to_delete)) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Customers.successful_deleted') . ' ' . $count . ' ' . lang('Customers.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Customers.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Customers.cannot_be_deleted')]);
        }
    }

@@ -383,24 +389,24 @@ class Customers extends Persons
    /**
     * Displays the customer CSV import modal. Used in app/Views/people/manage.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getCsvImport(): void
+    public function getCsvImport(): string
    {
-        echo view('customers/form_csv_import');
+        return view('customers/form_csv_import');
    }

    /**
     * Imports a CSV file containing customers. Used in app/Views/customers/form_csv_import.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postImportCsvFile(): void
+    public function postImportCsvFile(): ResponseInterface
    {
        if ($_FILES['file_path']['error'] != UPLOAD_ERR_OK) {
-            echo json_encode(['success' => false, 'message' => lang('Customers.csv_import_failed')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Customers.csv_import_failed')]);
        } else {
            if (($handle = fopen($_FILES['file_path']['tmp_name'], 'r')) !== false) {
                // Skip the first row as it's the table description
@@ -467,12 +473,12 @@ class Customers extends Persons
                if (count($failCodes) > 0) {
                    $message = lang('Customers.csv_import_partially_failed', [count($failCodes), implode(', ', $failCodes)]);

-                    echo json_encode(['success' => false, 'message' => $message]);
+                    return $this->response->setJSON(['success' => false, 'message' => $message]);
                } else {
-                    echo json_encode(['success' => true, 'message' => lang('Customers.csv_import_success')]);
+                    return $this->response->setJSON(['success' => true, 'message' => lang('Customers.csv_import_success')]);
                }
            } else {
-                echo json_encode(['success' => false, 'message' => lang('Customers.csv_import_nodata_wrongformat')]);
+                return $this->response->setJSON(['success' => false, 'message' => lang('Customers.csv_import_nodata_wrongformat')]);
            }
        }
    }
--- a/app/Controllers/Employees.php
+++ b/app/Controllers/Employees.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Module;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;

 /**
@@ -25,7 +26,7 @@ class Employees extends Persons
     *
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit  = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -41,39 +42,47 @@ class Employees extends Persons
            $data_rows[] = get_person_data_row($person);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * AJAX called function gives search suggestions based on what is being searched for.
     *
-     * @return void
+     * @return ResponseInterface
     */
-    public function getSuggest(): void
+    public function getSuggest(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->employee->get_search_suggestions($search, 25, true);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function suggest_search(): void
+    public function suggest_search(): ResponseInterface
    {
        $search = $this->request->getPost('term');
        $suggestions = $this->employee->get_search_suggestions($search);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Loads the employee edit form
+     * @return string
     */
-    public function getView(int $employee_id = NEW_ENTRY): void
+    public function getView(int $employee_id = NEW_ENTRY): string
    {
        $person_info = $this->employee->get_info($employee_id);
+        $current_user = $this->employee->get_logged_in_employee_info();
+
+        if ($employee_id != NEW_ENTRY && !$this->employee->canModifyEmployee($person_info->person_id, $current_user->person_id)) {
+            header('Location: ' . base_url('no_access/employees/employees'));
+            exit();
+        }
+
        foreach (get_object_vars($person_info) as $property => $value) {
            $person_info->$property = $value;
        }
@@ -98,14 +107,28 @@ class Employees extends Persons
        }
        $data['all_subpermissions'] = $permissions;

-        echo view('employees/form', $data);
+        return view('employees/form', $data);
    }

    /**
     * Inserts/updates an employee
+     * @return ResponseInterface
     */
-    public function postSave(int $employee_id = NEW_ENTRY): void
+    public function postSave(int $employee_id = NEW_ENTRY): ResponseInterface
    {
+        $current_user = $this->employee->get_logged_in_employee_info();
+
+        if ($employee_id != NEW_ENTRY) {
+            $target_employee = $this->employee->get_info($employee_id);
+            if (!$this->employee->canModifyEmployee($target_employee->person_id, $current_user->person_id)) {
+                return $this->response->setJSON([
+                    'success' => false,
+                    'message' => lang('Employees.error_updating_admin'),
+                    'id'      => NEW_ENTRY
+                ]);
+            }
+        }
+
        $first_name = $this->request->getPost('first_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);    // TODO: duplicated code
        $last_name = $this->request->getPost('last_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $email = strtolower($this->request->getPost('email', FILTER_SANITIZE_EMAIL));
@@ -130,11 +153,16 @@ class Employees extends Persons
        ];

        $grants_array = [];
+        $isAdmin = $this->employee->isAdmin($current_user->person_id);
+
        foreach ($this->module->get_all_permissions()->getResult() as $permission) {
            $grants = [];
            $grant = $this->request->getPost('grant_' . $permission->permission_id) != null ? $this->request->getPost('grant_' . $permission->permission_id, FILTER_SANITIZE_FULL_SPECIAL_CHARS) : '';

            if ($grant == $permission->permission_id) {
+                if (!$isAdmin && !$this->employee->has_grant($permission->permission_id, $current_user->person_id)) {
+                    continue;
+                }
                $grants['permission_id'] = $permission->permission_id;
                $grants['menu_group'] = $this->request->getPost('menu_group_' . $permission->permission_id) != null ? $this->request->getPost('menu_group_' . $permission->permission_id, FILTER_SANITIZE_FULL_SPECIAL_CHARS) : '--';
                $grants_array[] = $grants;
@@ -163,20 +191,25 @@ class Employees extends Persons
        if ($this->employee->save_employee($person_data, $employee_data, $grants_array, $employee_id)) {
            // New employee
            if ($employee_id == NEW_ENTRY) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Employees.successful_adding') . ' ' . $first_name . ' ' . $last_name,
                    'id'      => $employee_data['person_id']
                ]);
            } else { // Existing employee
-                echo json_encode([
+                $logged_in_employee_id = session()->get('person_id');
+                if ($employee_id == $logged_in_employee_id) {
+                    session()->set('language_code', $employee_data['language_code']);
+                    session()->set('language', $employee_data['language']);
+                }
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Employees.successful_updating') . ' ' . $first_name . ' ' . $last_name,
                    'id'      => $employee_id
                ]);
            }
        } else { // Failure
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Employees.error_adding_updating') . ' ' . $first_name . ' ' . $last_name,
                'id'      => NEW_ENTRY
@@ -186,18 +219,28 @@ class Employees extends Persons

    /**
     * This deletes employees from the employees table
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $employees_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+        $current_user = $this->employee->get_logged_in_employee_info();
+
+        if (!$this->employee->isAdmin($current_user->person_id)) {
+            foreach ($employees_to_delete as $emp_id) {
+                if ($this->employee->isAdmin((int)$emp_id)) {
+                    return $this->response->setJSON(['success' => false, 'message' => lang('Employees.error_deleting_admin')]);
+                }
+            }
+        }

        if ($this->employee->delete_list($employees_to_delete)) {    // TODO: this is passing a string, but delete_list expects an array
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Employees.successful_deleted') . ' ' . count($employees_to_delete) . ' ' . lang('Employees.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Employees.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Employees.cannot_be_deleted')]);
        }
    }

@@ -205,12 +248,12 @@ class Employees extends Persons
     * Checks an employee username against the database. Used in app\Views\employees\form.php
     *
     * @param $employee_id
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getCheckUsername($employee_id): void
+    public function getCheckUsername($employee_id): ResponseInterface
    {
        $exists = $this->employee->username_exists($employee_id, $this->request->getGet('username'));
-        echo !$exists ? 'true' : 'false';
+        return $this->response->setJSON(!$exists ? 'true' : 'false');
    }
 }
--- a/app/Controllers/Expenses.php
+++ b/app/Controllers/Expenses.php
@@ -4,6 +4,7 @@ namespace App\Controllers;

 use App\Models\Expense;
 use App\Models\Expense_category;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\OSPOS;
 use Config\Services;

@@ -23,7 +24,7 @@ class Expenses extends Secure_Controller
    /**
     * @return void
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_expenses_manage_table_headers();

@@ -37,13 +38,16 @@ class Expenses extends Secure_Controller
            'is_deleted'  => lang('Expenses.is_deleted')
        ];

-        echo view('expenses/manage', $data);
+        // Restore filters from URL
+        $data = array_merge($data, restoreTableFilters($this->request));
+
+        return view('expenses/manage', $data);
    }

    /**
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search   = $this->request->getGet('search');
        $limit    = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -78,27 +82,34 @@ class Expenses extends Secure_Controller
            $data_rows[] = get_expenses_data_last_row($expenses);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows, 'payment_summary' => $payment_summary]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows, 'payment_summary' => $payment_summary]);
    }

    /**
     * @param int $expense_id
     * @return void
     */
-    public function getView(int $expense_id = NEW_ENTRY): void
+    public function getView(int $expense_id = NEW_ENTRY): string
    {
        $data = [];    // TODO: Duplicated code

-        $data['employees'] = [];
-        foreach ($this->employee->get_all()->getResult() as $employee) {
-            foreach (get_object_vars($employee) as $property => $value) {
-                $employee->$property = $value;
-            }
-
-            $data['employees'][$employee->person_id] = $employee->first_name . ' ' . $employee->last_name;
-        }
-
        $data['expenses_info'] = $this->expense->get_info($expense_id);
+        $expense_id = $data['expenses_info']->expense_id;
+
+        $current_employee_id = $this->employee->get_logged_in_employee_info()->person_id;
+        $can_assign_employee = $this->employee->has_grant('employees', $current_employee_id);
+
+        $data['employees'] = [];
+        if ($can_assign_employee) {
+            foreach ($this->employee->get_all()->getResult() as $employee) {
+                $data['employees'][$employee->person_id] = $employee->first_name . ' ' . $employee->last_name;
+            }
+        } else {
+            $stored_employee_id = $expense_id == NEW_ENTRY ? $current_employee_id : $data['expenses_info']->employee_id;
+            $stored_employee = $this->employee->get_info($stored_employee_id);
+            $data['employees'][$stored_employee_id] = $stored_employee->first_name . ' ' . $stored_employee->last_name;
+        }
+        $data['can_assign_employee'] = $can_assign_employee;

        $expense_categories = [];
        foreach ($this->expense_category->get_all(0, 0, true)->getResultArray() as $row) {
@@ -106,11 +117,9 @@ class Expenses extends Secure_Controller
        }
        $data['expense_categories'] = $expense_categories;

-        $expense_id = $data['expenses_info']->expense_id;
-
        if ($expense_id == NEW_ENTRY) {
            $data['expenses_info']->date = date('Y-m-d H:i:s');
-            $data['expenses_info']->employee_id = $this->employee->get_logged_in_employee_info()->person_id;
+            $data['expenses_info']->employee_id = $current_employee_id;
        }

        $data['payments'] = [];
@@ -125,32 +134,46 @@ class Expenses extends Secure_Controller
        // Don't allow gift card to be a payment option in a sale transaction edit because it's a complex change
        $data['payment_options'] = $this->expense->get_payment_options();

-        echo view("expenses/form", $data);
+        return view("expenses/form", $data);
    }

    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $expense_info = $this->expense->get_info($row_id);
        $data_row = get_expenses_data_row($expense_info);

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @param int $expense_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $expense_id = NEW_ENTRY): void
+    public function postSave(int $expense_id = NEW_ENTRY): ResponseInterface
    {
        $config = config(OSPOS::class)->settings;
        $newdate = $this->request->getPost('date', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

        $date_formatter = date_create_from_format($config['dateformat'] . ' ' . $config['timeformat'], $newdate);

+        $current_employee_id = $this->employee->get_logged_in_employee_info()->person_id;
+        $submitted_employee_id = $this->request->getPost('employee_id', FILTER_SANITIZE_NUMBER_INT);
+
+        if (!$this->employee->has_grant('employees', $current_employee_id)) {
+            if ($expense_id == NEW_ENTRY) {
+                $employee_id = $current_employee_id;
+            } else {
+                $existing_expense = $this->expense->get_info($expense_id);
+                $employee_id = $existing_expense->employee_id;
+            }
+        } else {
+            $employee_id = $submitted_employee_id;
+        }
+
        $expense_data = [
            'date'                => $date_formatter->format('Y-m-d H:i:s'),
            'supplier_id'         => $this->request->getPost('supplier_id') == '' ? null : $this->request->getPost('supplier_id', FILTER_SANITIZE_NUMBER_INT),
@@ -160,33 +183,33 @@ class Expenses extends Secure_Controller
            'payment_type'        => $this->request->getPost('payment_type', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
            'expense_category_id' => $this->request->getPost('expense_category_id', FILTER_SANITIZE_NUMBER_INT),
            'description'         => $this->request->getPost('description', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
-            'employee_id'         => $this->request->getPost('employee_id', FILTER_SANITIZE_NUMBER_INT),
+            'employee_id'         => $employee_id,
            'deleted'             => $this->request->getPost('deleted') != null
        ];

        if ($this->expense->save_value($expense_data, $expense_id)) {
            // New Expense
            if ($expense_id == NEW_ENTRY) {
-                echo json_encode(['success' => true, 'message' => lang('Expenses.successful_adding'), 'id' => $expense_data['expense_id']]);
+                return $this->response->setJSON(['success' => true, 'message' => lang('Expenses.successful_adding'), 'id' => $expense_data['expense_id']]);
            } else { // Existing Expense
-                echo json_encode(['success' => true, 'message' => lang('Expenses.successful_updating'), 'id' => $expense_id]);
+                return $this->response->setJSON(['success' => true, 'message' => lang('Expenses.successful_updating'), 'id' => $expense_id]);
            }
        } else { // Failure
-            echo json_encode(['success' => false, 'message' => lang('Expenses.error_adding_updating'), 'id' => NEW_ENTRY]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Expenses.error_adding_updating'), 'id' => NEW_ENTRY]);
        }
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $expenses_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

        if ($this->expense->delete_list($expenses_to_delete)) {
-            echo json_encode(['success' => true, 'message' => lang('Expenses.successful_deleted') . ' ' . count($expenses_to_delete) . ' ' . lang('Expenses.one_or_multiple'), 'ids' => $expenses_to_delete]);
+            return $this->response->setJSON(['success' => true, 'message' => lang('Expenses.successful_deleted') . ' ' . count($expenses_to_delete) . ' ' . lang('Expenses.one_or_multiple'), 'ids' => $expenses_to_delete]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Expenses.cannot_be_deleted'), 'ids' => $expenses_to_delete]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Expenses.cannot_be_deleted'), 'ids' => $expenses_to_delete]);
        }
    }
 }
--- a/app/Controllers/Expenses_categories.php
+++ b/app/Controllers/Expenses_categories.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Expense_category;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;

 class Expenses_categories extends Secure_Controller    // TODO: Is this class ever used?
@@ -19,17 +20,17 @@ class Expenses_categories extends Secure_Controller    // TODO: Is this class ev
    /**
     * @return void
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_expense_category_manage_table_headers();

-        echo view('expenses_categories/manage', $data);
+        return view('expenses_categories/manage', $data);
    }

    /**
     * Returns expense_category_manage table data rows. This will be called with AJAX.
     **/
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit  = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -45,36 +46,36 @@ class Expenses_categories extends Secure_Controller    // TODO: Is this class ev
            $data_rows[] = get_expense_category_data_row($expense_category);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * @param int $row_id
     * @return void
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $data_row = get_expense_category_data_row($this->expense_category->get_info($row_id));

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @param int $expense_category_id
     * @return void
     */
-    public function getView(int $expense_category_id = NEW_ENTRY): void
+    public function getView(int $expense_category_id = NEW_ENTRY): string
    {
        $data['category_info'] = $this->expense_category->get_info($expense_category_id);

-        echo view("expenses_categories/form", $data);
+        return view("expenses_categories/form", $data);
    }

    /**
     * @param int $expense_category_id
     * @return void
     */
-    public function postSave(int $expense_category_id = NEW_ENTRY): void
+    public function postSave(int $expense_category_id = NEW_ENTRY): ResponseInterface
    {
        $expense_category_data = [
            'category_name'        => $this->request->getPost('category_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
@@ -84,20 +85,20 @@ class Expenses_categories extends Secure_Controller    // TODO: Is this class ev
        if ($this->expense_category->save_value($expense_category_data, $expense_category_id)) {
            // New expense_category
            if ($expense_category_id == NEW_ENTRY) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Expenses_categories.successful_adding'),
                    'id'      => $expense_category_data['expense_category_id']
                ]);
            } else { // Existing Expense Category
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Expenses_categories.successful_updating'),
                    'id'      => $expense_category_id
                ]);
            }
        } else { // Failure
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Expenses_categories.error_adding_updating') . ' ' . $expense_category_data['category_name'],
                'id'      => NEW_ENTRY
@@ -108,17 +109,17 @@ class Expenses_categories extends Secure_Controller    // TODO: Is this class ev
    /**
     * @return void
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $expense_category_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

        if ($this->expense_category->delete_list($expense_category_to_delete)) {    // TODO: Convert to ternary notation.
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Expenses_categories.successful_deleted') . ' ' . count($expense_category_to_delete) . ' ' . lang('Expenses_categories.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Expenses_categories.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Expenses_categories.cannot_be_deleted')]);
        }
    }
 }
--- a/app/Controllers/Giftcards.php
+++ b/app/Controllers/Giftcards.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Giftcard;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\OSPOS;
 use Config\Services;

@@ -18,19 +19,19 @@ class Giftcards extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_giftcards_manage_table_headers();

-        echo view('giftcards/manage', $data);
+        return view('giftcards/manage', $data);
    }

    /**
     * Returns Giftcards table data rows. This will be called with AJAX.
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit  = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -46,50 +47,50 @@ class Giftcards extends Secure_Controller
            $data_rows[] = get_giftcard_data_row($giftcard);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * Gets search suggestions for giftcards. Used in app\Views\sales\register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSuggest(): void
+    public function getSuggest(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->giftcard->get_search_suggestions($search, true);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function suggest_search(): void
+    public function suggest_search(): ResponseInterface
    {
        $search = $this->request->getPost('term');
        $suggestions = $this->giftcard->get_search_suggestions($search);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $data_row = get_giftcard_data_row($this->giftcard->get_info($row_id));

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @param int $giftcard_id
-     * @return void
+     * @return string
     */
-    public function getView(int $giftcard_id = NEW_ENTRY): void
+    public function getView(int $giftcard_id = NEW_ENTRY): string
    {
        $config = config(OSPOS::class)->settings;
        $giftcard_info = $this->giftcard->get_info($giftcard_id);
@@ -106,14 +107,14 @@ class Giftcards extends Secure_Controller
        $data['giftcard_id'] = $giftcard_id;
        $data['giftcard_value'] = $giftcard_info->value;

-        echo view("giftcards/form", $data);
+        return view("giftcards/form", $data);
    }

    /**
     * @param int $giftcard_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $giftcard_id = NEW_ENTRY): void
+    public function postSave(int $giftcard_id = NEW_ENTRY): ResponseInterface
    {
        $giftcard_number = $this->request->getPost('giftcard_number', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

@@ -131,20 +132,20 @@ class Giftcards extends Secure_Controller
        if ($this->giftcard->save_value($giftcard_data, $giftcard_id)) {
            // New giftcard
            if ($giftcard_id == NEW_ENTRY) {    // TODO: Constant needed
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Giftcards.successful_adding') . ' ' . $giftcard_data['giftcard_number'],
                    'id'      => $giftcard_data['giftcard_id']
                ]);
            } else { // Existing giftcard
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Giftcards.successful_updating') . ' ' . $giftcard_data['giftcard_number'],
                    'id'      => $giftcard_id
                ]);
            }
        } else { // Failure
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Giftcards.error_adding_updating') . ' ' . $giftcard_data['giftcard_number'],
                'id'      => NEW_ENTRY
@@ -158,30 +159,30 @@ class Giftcards extends Secure_Controller
     * @return void
     * @noinspection PhpUnused
     */
-    public function postCheckNumberGiftcard(): void
+    public function postCheckNumberGiftcard(): ResponseInterface
    {
        $existing_id = $this->request->getPost('giftcard_id', FILTER_SANITIZE_NUMBER_INT);
        $giftcard_number = $this->request->getPost('giftcard_number', FILTER_SANITIZE_NUMBER_INT);
        $giftcard_id = $this->giftcard->get_giftcard_id($giftcard_number);
        $success = ($giftcard_id == (int) $existing_id || !$giftcard_id );

-        echo $success ? 'true' : 'false';
+        return $this->response->setJSON($success ? 'true' : 'false');
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $giftcards_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

        if ($this->giftcard->delete_list($giftcards_to_delete)) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Giftcards.successful_deleted') . ' ' . count($giftcards_to_delete) . ' ' . lang('Giftcards.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Giftcards.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Giftcards.cannot_be_deleted')]);
        }
    }
 }
--- a/app/Controllers/Home.php
+++ b/app/Controllers/Home.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use CodeIgniter\HTTP\RedirectResponse;
+use CodeIgniter\HTTP\ResponseInterface;

 class Home extends Secure_Controller
 {
@@ -12,12 +13,12 @@ class Home extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $logged_in = $this->employee->is_logged_in();
-        echo view('home/home');
+        return view('home/home');
    }

    /**
@@ -35,58 +36,92 @@ class Home extends Secure_Controller
    /**
     * Load "change employee password" form
     *
+     * @return ResponseInterface|string
     * @noinspection PhpUnused
     */
-    public function getChangePassword(int $employee_id = -1): void    // TODO: Replace -1 with a constant
+    public function getChangePassword(int $employeeId = NEW_ENTRY)
    {
-        $person_info = $this->employee->get_info($employee_id);
+        $loggedInEmployee = $this->employee->get_logged_in_employee_info();
+        $currentPersonId = $loggedInEmployee->person_id;
+
+        $employeeId = $employeeId === NEW_ENTRY ? $currentPersonId : $employeeId;
+
+        if (!$this->employee->isAdmin($currentPersonId) && $employeeId !== $currentPersonId) {
+            return $this->response->setStatusCode(403)->setBody(lang('Employees.unauthorized_modify'));
+        }
+
+        $person_info = $this->employee->get_info($employeeId);
        foreach (get_object_vars($person_info) as $property => $value) {
            $person_info->$property = $value;
        }
        $data['person_info'] = $person_info;

-        echo view('home/form_change_password', $data);
+        return view('home/form_change_password', $data);
    }

    /**
     * Change employee password
+     *
+     * @return ResponseInterface
     */
-    public function postSave(int $employee_id = -1): void    // TODO: Replace -1 with a constant
+    public function postSave(int $employeeId = NEW_ENTRY): ResponseInterface
    {
-        if (!empty($this->request->getPost('current_password')) && $employee_id != -1) {
+        $currentUser = $this->employee->get_logged_in_employee_info();
+
+        $employeeId = $employeeId === NEW_ENTRY ? $currentUser->person_id : $employeeId;
+
+        if (!$this->employee->isAdmin($currentUser->person_id) && $employeeId !== $currentUser->person_id) {
+            return $this->response->setStatusCode(403)->setJSON([
+                'success' => false,
+                'message' => lang('Employees.unauthorized_modify')
+            ]);
+        }
+
+        if (!empty($this->request->getPost('current_password')) && $employeeId != NEW_ENTRY) {
            if ($this->employee->check_password($this->request->getPost('username', FILTER_SANITIZE_FULL_SPECIAL_CHARS), $this->request->getPost('current_password'))) {
+                // Validate password length BEFORE hashing
+                $new_password = $this->request->getPost('password');
+                
+                if (strlen($new_password) < 8) {
+                    return $this->response->setJSON([
+                        'success' => false,
+                        'message' => lang('Employees.password_minlength'),
+                        'id'      => NEW_ENTRY
+                    ]);
+                }
+                
                $employee_data = [
                    'username'     => $this->request->getPost('username', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
-                    'password'     => password_hash($this->request->getPost('password'), PASSWORD_DEFAULT),
+                    'password'     => password_hash($new_password, PASSWORD_DEFAULT),
                    'hash_version' => 2
                ];

-                if ($this->employee->change_password($employee_data, $employee_id) && strlen($employee_data['password']) >= 8) {
-                    echo json_encode([
+                if ($this->employee->change_password($employee_data, $employeeId)) {
+                    return $this->response->setJSON([
                        'success' => true,
                        'message' => lang('Employees.successful_change_password'),
-                        'id'      => $employee_id
+                        'id'      => $employeeId
                    ]);
-                } else { // Failure    // TODO: Replace -1 with constant
-                    echo json_encode([
+                } else {
+                    return $this->response->setJSON([
                        'success' => false,
                        'message' => lang('Employees.unsuccessful_change_password'),
-                        'id'      => -1
+                        'id'      => NEW_ENTRY
                    ]);
                }
-            } else {    // TODO: Replace -1 with constant
-                echo json_encode([
+            } else {
+                return $this->response->setJSON([
                    'success' => false,
                    'message' => lang('Employees.current_password_invalid'),
-                    'id'      => -1
+                    'id'      => NEW_ENTRY
                ]);
            }
-        } else {    // TODO: Replace -1 with constant
-            echo json_encode([
+        } else {
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Employees.current_password_invalid'),
-                'id'      => -1
+                'id'      => NEW_ENTRY
            ]);
        }
    }
-}
+}
--- a/app/Controllers/Item_kits.php
+++ b/app/Controllers/Item_kits.php
@@ -7,6 +7,7 @@ use App\Libraries\Barcode_lib;
 use App\Models\Item;
 use App\Models\Item_kit;
 use App\Models\Item_kit_items;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;

 class Item_kits extends Secure_Controller
@@ -59,19 +60,19 @@ class Item_kits extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_item_kits_manage_table_headers();

-        echo view('item_kits/manage', $data);
+        return view('item_kits/manage', $data);
    }

    /**
     * Returns Item_kit table data rows. This will be called with AJAX.
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search') ?? '';
        $limit  = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -89,37 +90,37 @@ class Item_kits extends Secure_Controller
            $data_rows[] = get_item_kit_data_row($item_kit);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function suggest_search(): void
+    public function suggest_search(): ResponseInterface
    {
        $search = $this->request->getPost('term');
        $suggestions = $this->item_kit->get_search_suggestions($search);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        // Calculate the total cost and retail price of the Kit, so it can be added to the table refresh
        $item_kit = $this->_add_totals_to_item_kit($this->item_kit->get_info($row_id));

-        echo json_encode(get_item_kit_data_row($item_kit));
+        return $this->response->setJSON(get_item_kit_data_row($item_kit));
    }

    /**
     * @param int $item_kit_id
-     * @return void
+     * @return string
     */
-    public function getView(int $item_kit_id = NEW_ENTRY): void
+    public function getView(int $item_kit_id = NEW_ENTRY): string
    {
        $info = $this->item_kit->get_info($item_kit_id);

@@ -153,14 +154,14 @@ class Item_kits extends Secure_Controller
        $data['selected_kit_item_id'] = $info->kit_item_id;
        $data['selected_kit_item'] = ($item_kit_id > 0 && isset($info->kit_item_id)) ? $info->item_name : '';

-        echo view("item_kits/form", $data);
+        return view("item_kits/form", $data);
    }

    /**
     * @param int $item_kit_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $item_kit_id = NEW_ENTRY): void
+    public function postSave(int $item_kit_id = NEW_ENTRY): ResponseInterface
    {
        $item_kit_data = [
            'name'              => $this->request->getPost('name'),
@@ -201,20 +202,20 @@ class Item_kits extends Secure_Controller
            }

            if ($new_item) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => $success,
                    'message' => lang('Item_kits.successful_adding') . ' ' . $item_kit_data['name'],
                    'id'      => $item_kit_id
                ]);
            } else {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => $success,
                    'message' => lang('Item_kits.successful_updating') . ' ' . $item_kit_data['name'],
                    'id'      => $item_kit_id
                ]);
            }
        } else { // Failure
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Item_kits.error_adding_updating') . ' ' . $item_kit_data['name'],
                'id'      => NEW_ENTRY
@@ -223,42 +224,42 @@ class Item_kits extends Secure_Controller
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $item_kits_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);

        if ($this->item_kit->delete_list($item_kits_to_delete)) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Item_kits.successful_deleted') . ' ' . count($item_kits_to_delete) . ' ' . lang('Item_kits.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Item_kits.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Item_kits.cannot_be_deleted')]);
        }
    }

    /**
     * Checks the validity of the item kit number. Used in app/Views/item_kits/form.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postCheckItemNumber(): void
+    public function postCheckItemNumber(): ResponseInterface
    {
        $exists = $this->item_kit->item_number_exists($this->request->getPost('item_kit_number', FILTER_SANITIZE_FULL_SPECIAL_CHARS), $this->request->getPost('item_kit_id', FILTER_SANITIZE_NUMBER_INT));
-        echo !$exists ? 'true' : 'false';
+        return $this->response->setJSON(!$exists ? 'true' : 'false');
    }

    /**
     * AJAX called function that generates barcodes for selected item_kits.
     *
     * @param string $item_kit_ids Colon separated list of item_kit_id values to generate barcodes for.
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getGenerateBarcodes(string $item_kit_ids): void
+    public function getGenerateBarcodes(string $item_kit_ids): string
    {
        $barcode_lib = new Barcode_lib();
        $result = [];
@@ -289,6 +290,6 @@ class Item_kits extends Secure_Controller
        $data['barcode_config'] = $barcode_config;

        // Display barcodes
-        echo view("barcodes/barcode_sheet", $data);
+        return view("barcodes/barcode_sheet", $data);
    }
 }
--- a/app/Controllers/Items.php
+++ b/app/Controllers/Items.php
@@ -15,6 +15,7 @@ use App\Models\Stock_location;
 use App\Models\Supplier;
 use App\Models\Tax_category;

+use CodeIgniter\HTTP\ResponseInterface;
 use CodeIgniter\Images\Handlers\BaseHandler;
 use CodeIgniter\HTTP\DownloadResponse;
 use Config\OSPOS;
@@ -65,14 +66,19 @@ class Items extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $this->session->set('allow_temp_items', 0);

        $data['table_headers'] = get_items_manage_table_headers();
-        $data['stock_location'] = $this->item_lib->get_item_location();
+        
+        // Restore stock_location from URL or session
+        $stockLocation = $this->request->getGet('stock_location', FILTER_SANITIZE_NUMBER_INT);
+        $data['stock_location'] = $stockLocation
+            ? $stockLocation
+            : $this->item_lib->get_item_location();
        $data['stock_locations'] = $this->stock_location->get_allowed_locations();

        // Filters that will be loaded in the multiselect dropdown
@@ -86,16 +92,19 @@ class Items extends Secure_Controller
            'temporary'      => lang('Items.temp')
        ];

-        echo view('items/manage', $data);
+        // Restore filters from URL
+        $data = array_merge($data, restoreTableFilters($this->request));
+
+        return view('items/manage', $data);
    }

    /**
     * Returns Items table data rows. This will be called with AJAX.
     * @noinspection PhpUnused
     **/
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
-        $search = $this->request->getGet('search');
+        $search = $this->request->getGet('search', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
        $offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT);
        $sort = $this->sanitizeSortColumn(item_headers(), $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS), 'item_id');
@@ -134,19 +143,20 @@ class Items extends Secure_Controller
            }
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * AJAX function. Processes thumbnail of image. Called via tabular_helper
     * @param string $pic_filename
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getPicThumb(string $pic_filename): void
+    public function getPicThumb(string $pic_filename): ResponseInterface
    {
        helper('file');

+        $pic_filename = rawurldecode($pic_filename);
        $file_extension = pathinfo($pic_filename, PATHINFO_EXTENSION);
        $images = glob("./uploads/item_pics/$pic_filename");
        $base_path = './uploads/item_pics/' . pathinfo($pic_filename, PATHINFO_FILENAME);
@@ -164,15 +174,17 @@ class Items extends Secure_Controller

            $this->response->setContentType(mime_content_type($thumb_path));
            $this->response->setBody(file_get_contents($thumb_path));
-            $this->response->send();
        }
+
+        return $this->response;
    }

    /**
     * Gives search suggestions based on what is being searched for
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function suggest_search(): void
+    public function suggest_search(): ResponseInterface
    {
        $options = [
            'search_custom' => $this->request->getPost('search_custom'),
@@ -182,71 +194,73 @@ class Items extends Secure_Controller
        $search = $this->request->getPost('term');
        $suggestions = $this->item->get_search_suggestions($search, $options);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * AJAX Function used to get search suggestions from the model and return them in JSON format
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSuggest(): void
+    public function getSuggest(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->item->get_search_suggestions($search, ['search_custom' => false, 'is_deleted' => false], true);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSuggestLowSell(): void
+    public function getSuggestLowSell(): ResponseInterface
    {
        $suggestions = $this->item->get_low_sell_suggestions($this->request->getPostGet('name'));

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSuggestKits(): void
+    public function getSuggestKits(): ResponseInterface
    {
        $suggestions = $this->item->get_kit_search_suggestions($this->request->getGet('term'), ['search_custom' => false, 'is_deleted' => false], true);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Gives search suggestions based on what is being searched for. Called from the view.
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSuggestCategory(): void
+    public function getSuggestCategory(): ResponseInterface
    {
        $suggestions = $this->item->get_category_suggestions($this->request->getGet('term'));

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Gives search suggestions based on what is being searched for.
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSuggestLocation(): void
+    public function getSuggestLocation(): ResponseInterface
    {
        $suggestions = $this->item->get_location_suggestions($this->request->getGet('term'));

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * @param string $item_ids
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(string $item_ids): void    // TODO: An array would be better for parameter.
+    public function getRow(string $item_ids): ResponseInterface    // TODO: An array would be better for parameter.
    {
        $item_infos = $this->item->get_multiple_info(explode(':', $item_ids), $this->item_lib->get_item_location());

@@ -256,14 +270,14 @@ class Items extends Secure_Controller
            $result[$item_info->item_id] = get_item_data_row($item_info);
        }

-        echo json_encode($result);
+        return $this->response->setJSON($result);
    }

    /**
     * @param int $item_id
-     * @return void
+     * @return string
     */
-    public function getView(int $item_id = NEW_ENTRY): void    // TODO: Long function. Perhaps we need to refactor out some methods.
+    public function getView(int $item_id = NEW_ENTRY): string    // TODO: Long function. Perhaps we need to refactor out some methods.
    {
        $item_id ??= NEW_ENTRY;

@@ -372,7 +386,7 @@ class Items extends Secure_Controller
            } else {
                $images = glob("./uploads/item_pics/$item_info->pic_filename");
            }
-            $data['image_path']    = sizeof($images) > 0 ? base_url($images[0]) : '';
+            $data['image_path']    = sizeof($images) > 0 ? base_url(implode('/', array_map('rawurlencode', explode('/', ltrim($images[0], './'))))) : '';
        } else {
            $data['image_path']    = '';
        }
@@ -395,17 +409,17 @@ class Items extends Secure_Controller
            $data['selected_low_sell_item'] = '';
        }

-        echo view('items/form', $data);
+        return view('items/form', $data);
    }

    /**
     * AJAX called function which returns the update inventory form view for an item
     *
     * @param int $item_id
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getInventory(int $item_id = NEW_ENTRY): void
+    public function getInventory(int $item_id = NEW_ENTRY): string
    {
        $item_info = $this->item->get_info($item_id);    // TODO: Duplicate code

@@ -424,15 +438,15 @@ class Items extends Secure_Controller
            $data['item_quantities'][$location['location_id']] = $quantity;
        }

-        echo view('items/form_inventory', $data);
+        return view('items/form_inventory', $data);
    }

    /**
     * @param int $item_id
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getCountDetails(int $item_id = NEW_ENTRY): void
+    public function getCountDetails(int $item_id = NEW_ENTRY): string
    {
        $item_info = $this->item->get_info($item_id);    // TODO: Duplicate code

@@ -451,17 +465,17 @@ class Items extends Secure_Controller
            $data['item_quantities'][$location['location_id']] = $quantity;
        }

-        echo view('items/form_count_details', $data);
+        return view('items/form_count_details', $data);
    }

    /**
     *  AJAX called function that generates barcodes for selected items.
     *
     * @param string $item_ids Colon separated list of item_id values to generate barcodes for.
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getGenerateBarcodes(string $item_ids): void    // TODO: Passing these through as a string instead of an array limits the contents of the item_ids. Perhaps a better approach would to serialize as JSON in an array and pass through post variables?
+    public function getGenerateBarcodes(string $item_ids): string    // TODO: Passing these through as a string instead of an array limits the contents of the item_ids. Perhaps a better approach would to serialize as JSON in an array and pass through post variables?
    {
        $item_ids = explode(':', $item_ids);
        $result = $this->item->get_multiple_info($item_ids, $this->item_lib->get_item_location())->getResultArray();
@@ -477,16 +491,16 @@ class Items extends Secure_Controller
        }
        $data['items'] = $result;

-        echo view('barcodes/barcode_sheet', $data);
+        return view('barcodes/barcode_sheet', $data);
    }

    /**
     * Gathers attribute value information for an item and returns it in a view.
     *
     * @param int $item_id
-     * @return void
+     * @return string
     */
-    public function getAttributes(int $item_id = NEW_ENTRY): void
+    public function getAttributes(int $item_id = NEW_ENTRY): string
    {
        $data['item_id'] = $item_id;
        $definition_ids = json_decode($this->request->getGet('definition_ids') ?? '', true);
@@ -514,15 +528,15 @@ class Items extends Secure_Controller
            unset($data['definition_names'][$definition_id]);
        }

-        echo view('attributes/item', $data);
+        return view('attributes/item', $data);
    }

    /**
     * @param int $item_id
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function postAttributes(int $item_id = NEW_ENTRY): void
+    public function postAttributes(int $item_id = NEW_ENTRY): string
    {
        $data['item_id'] = $item_id;
        $definition_ids = json_decode($this->request->getPost('definition_ids'), true);
@@ -550,16 +564,16 @@ class Items extends Secure_Controller
            unset($data['definition_names'][$definition_id]);
        }

-        echo view('attributes/item', $data);
+        return view('attributes/item', $data);
    }

    /**
     * Edit multiple items. Used in app/Views/items/manage.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getBulkEdit(): void
+    public function getBulkEdit(): string
    {
        $suppliers = ['' => lang('Items.none')];

@@ -580,14 +594,15 @@ class Items extends Secure_Controller
            0  => lang('Items.change_all_to_unserialized')
        ];

-        echo view('items/form_bulk', $data);
+        return view('items/form_bulk', $data);
    }

    /**
     * @param int $item_id
+     * @return ResponseInterface
     * @throws ReflectionException
     */
-    public function postSave(int $item_id = NEW_ENTRY): void
+    public function postSave(int $item_id = NEW_ENTRY): ResponseInterface
    {
        $upload_data = $this->upload_image();
        $upload_success = empty($upload_data['error']);
@@ -611,7 +626,7 @@ class Items extends Secure_Controller
        // Save item data
        $item_data = [
            'name'                  => $this->request->getPost('name'),
-            'description'           => $this->request->getPost('description'),
+            'description'           => $this->request->getPost('description', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
            'category'              => $this->request->getPost('category'),
            'item_type'             => $item_type,
            'stock_type'            => $this->request->getPost('stock_type') === null ? HAS_STOCK : intval($this->request->getPost('stock_type')),
@@ -717,16 +732,16 @@ class Items extends Secure_Controller
            if ($success && $upload_success) {
                $message = lang('Items.successful_' . ($new_item ? 'adding' : 'updating')) . ' ' . $item_data['name'];

-                echo json_encode(['success' => true, 'message' => $message, 'id' => $item_id]);
+                return $this->response->setJSON(['success' => true, 'message' => $message, 'id' => $item_id]);
            } else {
                $message = $upload_success ? lang('Items.error_adding_updating') . ' ' . $item_data['name'] : strip_tags($upload_data['error']);

-                echo json_encode(['success' => false, 'message' => $message, 'id' => $item_id]);
+                return $this->response->setJSON(['success' => false, 'message' => $message, 'id' => $item_id]);
            }
        } else {
            $message = lang('Items.error_adding_updating') . ' ' . $item_data['name'];

-            echo json_encode(['success' => false, 'message' => $message, 'id' => NEW_ENTRY]);
+            return $this->response->setJSON(['success' => false, 'message' => $message, 'id' => NEW_ENTRY]);
        }
    }

@@ -762,10 +777,13 @@ class Items extends Secure_Controller

        $filename = $file->getClientName();
        $info = pathinfo($filename);
+        
+        // Sanitize filename to remove problematic characters like spaces
+        $sanitized_name = preg_replace('/[^a-zA-Z0-9_\-\.]/', '_', $info['filename']);

        $file_info = [
            'orig_name' => $filename,
-            'raw_name'  => $info['filename'],
+            'raw_name'  => $sanitized_name,
            'file_ext'  => $file->guessExtension()
        ];

@@ -777,49 +795,51 @@ class Items extends Secure_Controller
    /**
     * Ajax call to check to see if the item number, a.k.a. barcode, is already used by another item
     * If it exists then that is an error condition so return true for "error found"
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postCheckItemNumber(): void
+    public function postCheckItemNumber(): ResponseInterface
    {
        $exists = $this->item->item_number_exists($this->request->getPost('item_number'), $this->request->getPost('item_id'));

-        echo !$exists ? 'true' : 'false';
+        return $this->response->setJSON(!$exists ? 'true' : 'false');
    }

    /**
     * Checks to see if an item kit with the same name as the item already exists.
     *
-     * @return void
+     * @return ResponseInterface
     */
-    public function check_kit_exists(): void    // TODO: This function appears to be never called in the code.  Need to confirm.
+    public function check_kit_exists(): ResponseInterface    // TODO: This function appears to be never called in the code.  Need to confirm.
    {
        if ($this->request->getPost('item_number') === NEW_ENTRY) {
            $exists = $this->item_kit->item_kit_exists_for_name($this->request->getPost('name'));    // TODO: item_kit_exists_for_name doesn't exist in Item_kit.  I looked at the blame and it appears to have never existed.
        } else {
            $exists = false;
        }
-        echo !$exists ? 'true' : 'false';
+
+        return $this->response->setJSON(!$exists ? 'true' : 'false');
    }

    /**
     * @param $item_id
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getRemoveLogo($item_id): void
+    public function getRemoveLogo($item_id): ResponseInterface
    {
        $item_data = ['pic_filename' => null];
        $result = $this->item->save_value($item_data, $item_id);

-        echo json_encode(['success' => $result]);
+        return $this->response->setJSON(['success' => $result]);
    }

    /**
+     * @return ResponseInterface
     * @throws ReflectionException
     * @noinspection PhpUnused
     */
-    public function postSaveInventory($item_id = NEW_ENTRY): void
+    public function postSaveInventory($item_id = NEW_ENTRY): ResponseInterface
    {
        $employee_id = $this->employee->get_logged_in_employee_info()->person_id;
        $cur_item_info = $this->item->get_info($item_id);
@@ -847,29 +867,29 @@ class Items extends Secure_Controller
        if ($this->item_quantity->save_value($item_quantity_data, $item_id, $location_id)) {
            $message = lang('Items.successful_updating') . " $cur_item_info->name";

-            echo json_encode(['success' => true, 'message' => $message, 'id' => $item_id]);
+            return $this->response->setJSON(['success' => true, 'message' => $message, 'id' => $item_id]);
        } else {
            $message = lang('Items.error_adding_updating') . " $cur_item_info->name";

-            echo json_encode(['success' => false, 'message' => $message, 'id' => NEW_ENTRY]);
+            return $this->response->setJSON(['success' => false, 'message' => $message, 'id' => NEW_ENTRY]);
        }
    }

    /**
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postBulkUpdate(): void
+    public function postBulkUpdate(): ResponseInterface
    {
        $items_to_update = $this->request->getPost('item_ids');
        $item_data = [];

-        foreach ($_POST as $key => $value) {
-            // This field is nullable, so treat it differently
-            if ($key === 'supplier_id' && $value !== '') {
-                $item_data[$key] = $value;
-            } elseif ($value !== '' && !(in_array($key, ['item_ids', 'tax_names', 'tax_percents']))) {
-                $item_data[$key] = $value;
+        foreach (Item::ALLOWED_BULK_EDIT_FIELDS as $field) {
+            $value = $this->request->getPost($field);
+            if ($field === 'supplier_id' && $value !== '') {
+                $item_data[$field] = $value;
+            } elseif ($value !== null && $value !== '') {
+                $item_data[$field] = $value;
            }
        }

@@ -891,23 +911,24 @@ class Items extends Secure_Controller
                $this->item_taxes->save_multiple($items_taxes_data, $items_to_update);
            }

-            echo json_encode(['success' => true, 'message' => lang('Items.successful_bulk_edit'), 'id' => $items_to_update]);
+            return $this->response->setJSON(['success' => true, 'message' => lang('Items.successful_bulk_edit'), 'id' => $items_to_update]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Items.error_updating_multiple')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Items.error_updating_multiple')]);
        }
    }

    /**
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $items_to_delete = $this->request->getPost('ids');

        if ($this->item->delete_list($items_to_delete)) {
            $message = lang('Items.successful_deleted') . ' ' . count($items_to_delete) . ' ' . lang('Items.one_or_multiple');
-            echo json_encode(['success' => true, 'message' => $message]);
+            return $this->response->setJSON(['success' => true, 'message' => $message]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Items.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Items.cannot_be_deleted')]);
        }
    }

@@ -929,25 +950,26 @@ class Items extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getCsvImport(): void
+    public function getCsvImport(): string
    {
-        echo view('items/form_csv_import');
+        return view('items/form_csv_import');
    }

    /**
     * Imports items from CSV formatted file.
+     * @return ResponseInterface
     * @throws ReflectionException
     * @noinspection PhpUnused
     */
-    public function postImportCsvFile(): void
+    public function postImportCsvFile(): ResponseInterface
    {
        helper('importfile_helper');
        try {
            if ($_FILES['file_path']['error'] !== UPLOAD_ERR_OK) {
-                echo json_encode(['success' => false, 'message' => lang('Items.csv_import_failed')]);
+                return $this->response->setJSON(['success' => false, 'message' => lang('Items.csv_import_failed')]);
            } else {
                if (file_exists($_FILES['file_path']['tmp_name'])) {
                    set_time_limit(240);
@@ -1007,7 +1029,11 @@ class Items extends Secure_Controller
                        }

                        if (!$is_failed_row) {
-                            $is_failed_row = $this->data_error_check($row, $item_data, $allowed_stock_locations, $attribute_definition_names, $attribute_data);
+                            $invalidLocations = $this->validateCSVStockLocations($row, $allowedStockLocations);
+                            if (!empty($invalidLocations)) {
+                                $isFailedRow = true;
+                                log_message('error', 'CSV import: Invalid stock location(s) found: ' . implode(', ', $invalidLocations));
+                            }
                        }

                        // Remove false, null, '' and empty strings but keep 0
@@ -1037,23 +1063,46 @@ class Items extends Secure_Controller
                    if (count($failCodes) > 0) {
                        $message = lang('Items.csv_import_partially_failed', [count($failCodes), implode(', ', $failCodes)]);
                        $db->transRollback();
-                        echo json_encode(['success' => false, 'message' => $message]);
+                        return $this->response->setJSON(['success' => false, 'message' => $message]);
                    } else {
                        $db->transCommit();

-                        echo json_encode(['success' => true, 'message' => lang('Items.csv_import_success')]);
+                        return $this->response->setJSON(['success' => true, 'message' => lang('Items.csv_import_success')]);
                    }
                } else {
-                    echo json_encode(['success' => false, 'message' => lang('Items.csv_import_nodata_wrongformat')]);
+                    return $this->response->setJSON(['success' => false, 'message' => lang('Items.csv_import_nodata_wrongformat')]);
                }
            }
        } catch (Exception $e) {
-            echo json_encode(['success' => false, 'message' => $e->getMessage()]);
-            return;
+            return $this->response->setJSON(['success' => false, 'message' => $e->getMessage()]);
        }

    }

+    /**
+     * Validates that stock location columns in CSV row are valid locations
+     *
+     * @param array $row
+     * @param array $allowedLocations
+     * @return array Returns array of invalid location names, empty if all valid
+     */
+    private function validateCSVStockLocations(array $row, array $allowedLocations): array
+    {
+        $invalidLocations = [];
+        $allowedLocationNames = array_values($allowedLocations);
+
+        foreach (array_keys($row) as $key) {
+            if (str_starts_with($key, 'location_')) {
+                $locationName = substr($key, 9);
+                if (!in_array($locationName, $allowedLocationNames)) {
+                    $invalidLocations[] = $locationName;
+                }
+            }
+        }
+
+        return $invalidLocations;
+    }
+
    /**
     * Checks the entire line of data in an import file for errors
     *
--- a/app/Controllers/Messages.php
+++ b/app/Controllers/Messages.php
@@ -5,6 +5,7 @@ namespace App\Controllers;
 use App\Libraries\Sms_lib;

 use App\Models\Person;
+use CodeIgniter\HTTP\ResponseInterface;

 class Messages extends Secure_Controller
 {
@@ -18,18 +19,18 @@ class Messages extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
-        echo view('messages/sms');
+        return view('messages/sms');
    }

    /**
     * @param int $person_id
-     * @return void
+     * @return string
     */
-    public function getView(int $person_id = NEW_ENTRY): void
+    public function getView(int $person_id = NEW_ENTRY): string
    {
        $person = model(Person::class);
        $info = $person->get_info($person_id);
@@ -39,13 +40,13 @@ class Messages extends Secure_Controller
        }
        $data['person_info'] = $info;

-        echo view('messages/form_sms', $data);
+        return view('messages/form_sms', $data);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function send(): void
+    public function send(): ResponseInterface
    {
        $phone   = $this->request->getPost('phone', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $message = $this->request->getPost('message', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -53,9 +54,9 @@ class Messages extends Secure_Controller
        $response = $this->sms_lib->sendSMS($phone, $message);

        if ($response) {
-            echo json_encode(['success' => true, 'message' => lang('Messages.successfully_sent') . ' ' . esc($phone)]);
+            return $this->response->setJSON(['success' => true, 'message' => lang('Messages.successfully_sent') . ' ' . esc($phone)]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Messages.unsuccessfully_sent') . ' ' . esc($phone)]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Messages.unsuccessfully_sent') . ' ' . esc($phone)]);
        }
    }

@@ -63,10 +64,10 @@ class Messages extends Secure_Controller
     * Sends an SMS message to a user. Used in app/Views/messages/form_sms.php.
     *
     * @param int $person_id
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function send_form(int $person_id = NEW_ENTRY): void
+    public function send_form(int $person_id = NEW_ENTRY): ResponseInterface
    {
        $phone   = $this->request->getPost('phone', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $message = $this->request->getPost('message', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -74,13 +75,13 @@ class Messages extends Secure_Controller
        $response = $this->sms_lib->sendSMS($phone, $message);

        if ($response) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success'   => true,
                'message'   => lang('Messages.successfully_sent') . ' ' . esc($phone),
                'person_id' => $person_id
            ]);
        } else {
-            echo json_encode([
+            return $this->response->setJSON([
                'success'   => false,
                'message'   => lang('Messages.unsuccessfully_sent') . ' ' . esc($phone),
                'person_id' => NEW_ENTRY
--- a/app/Controllers/No_access.php
+++ b/app/Controllers/No_access.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Module;
+use CodeIgniter\HTTP\ResponseInterface;

 /**
 * Part of the grants mechanism to restrict access to modules that the user doesn't have permission for.
@@ -22,13 +23,13 @@ class No_access extends BaseController
    /**
     * @param string $module_id
     * @param string $permission_id
-     * @return void
+     * @return string
     */
-    public function getIndex(string $module_id = '', string $permission_id = ''): void
+    public function getIndex(string $module_id = '', string $permission_id = ''): string
    {
        $data['module_name']   = $this->module->get_module_name($module_id);
        $data['permission_id'] = $permission_id;

-        echo view('no_access', $data);
+        return view('no_access', $data);
    }
 }
--- a/app/Controllers/Office.php
+++ b/app/Controllers/Office.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Employee;
+use CodeIgniter\HTTP\ResponseInterface;

 /**
 * @property Employee employee
@@ -17,11 +18,11 @@ class Office extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
-        echo view('home/office');
+        return view('home/office');
    }

    /**
--- a/app/Controllers/Payments/Webhook.php
+++ b/app/Controllers/Payments/Webhook.php
@@ -0,0 +1,71 @@
+<?php
+
+namespace App\Controllers\Payments;
+
+use App\Controllers\BaseController;
+use App\Libraries\Payments\PaymentProviderRegistry;
+use CodeIgniter\HTTP\ResponseInterface;
+
+class Webhook extends BaseController
+{
+    public function handle(string $providerId): ResponseInterface
+    {
+        $provider = PaymentProviderRegistry::getInstance()->getProvider($providerId);
+        
+        if ($provider === null) {
+            log_message('error', "Webhook received for unknown provider: {$providerId}");
+            return $this->response->setStatusCode(404)->setJSON([
+                'success' => false,
+                'error' => 'Provider not found'
+            ]);
+        }
+        
+        $rawInput = $this->request->getBody();
+        $data = json_decode($rawInput, true) ?? [];
+        
+        if (empty($rawInput)) {
+            $data = $this->request->getPost();
+        }
+        
+        try {
+            $result = $provider->processCallback($data);
+            
+            if ($result['success'] ?? false) {
+                log_message('info', "Webhook processed successfully for provider: {$providerId}", $result);
+                return $this->response->setStatusCode(200)->setJSON($result);
+            }
+            
+            log_message('warning', "Webhook processing failed for provider: {$providerId}", $result);
+            return $this->response->setStatusCode(400)->setJSON($result);
+        } catch (\Exception $e) {
+            log_message('error', "Webhook exception for provider {$providerId}: " . $e->getMessage());
+            return $this->response->setStatusCode(500)->setJSON([
+                'success' => false,
+                'error' => 'Internal server error'
+            ]);
+        }
+    }
+
+    public function status(string $providerId, string $transactionId): ResponseInterface
+    {
+        $provider = PaymentProviderRegistry::getInstance()->getProvider($providerId);
+        
+        if ($provider === null) {
+            return $this->response->setStatusCode(404)->setJSON([
+                'success' => false,
+                'error' => 'Provider not found'
+            ]);
+        }
+        
+        try {
+            $result = $provider->getPaymentStatus($transactionId);
+            return $this->response->setStatusCode(200)->setJSON($result);
+        } catch (\Exception $e) {
+            log_message('error', "Status check exception for provider {$providerId}: " . $e->getMessage());
+            return $this->response->setStatusCode(500)->setJSON([
+                'success' => false,
+                'error' => 'Internal server error'
+            ]);
+        }
+    }
+}
--- a/app/Controllers/Persons.php
+++ b/app/Controllers/Persons.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Person;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;
 use function Tamtamchik\NameCase\str_name_case;

@@ -21,34 +22,36 @@ abstract class Persons extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_people_manage_table_headers();

-        echo view('people/manage', $data);
+        return view('people/manage', $data);
    }

    /**
     * Gives search suggestions based on what is being searched for
+     * @return ResponseInterface
     */
-    public function getSuggest(): void
+    public function getSuggest(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->person->get_search_suggestions($search);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Gets one row for a person manage table. This is called using AJAX to update one row.
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $data_row = get_person_data_row($this->person->get_info($row_id));

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
--- a/app/Controllers/Receivings.php
+++ b/app/Controllers/Receivings.php
@@ -11,6 +11,7 @@ use App\Models\Item_kit;
 use App\Models\Receiving;
 use App\Models\Stock_location;
 use App\Models\Supplier;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\OSPOS;
 use Config\Services;
 use ReflectionException;
@@ -46,66 +47,66 @@ class Receivings extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
-        $this->_reload();
+        return $this->_reload();
    }

    /**
     * Returns search suggestions for an item. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getItemSearch(): void
+    public function getItemSearch(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->item->get_search_suggestions($search, ['search_custom' => false, 'is_deleted' => false], true);
        $suggestions = array_merge($suggestions, $this->item_kit->get_search_suggestions($search));

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Gets search suggestions for a stock item. Used in app/Views/receivings/receiving.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getStockItemSearch(): void
+    public function getStockItemSearch(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->item->get_stock_search_suggestions($search, ['search_custom' => false, 'is_deleted' => false], true);
        $suggestions = array_merge($suggestions, $this->item_kit->get_search_suggestions($search));

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Set supplier if it exists in the database. Used in app/Views/receivings/receiving.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function postSelectSupplier(): void
+    public function postSelectSupplier(): string
    {
        $supplier_id = $this->request->getPost('supplier', FILTER_SANITIZE_NUMBER_INT);
        if ($this->supplier->exists($supplier_id)) {
            $this->receiving_lib->set_supplier($supplier_id);
        }

-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();    // TODO: Hungarian notation
    }

    /**
     * Change receiving mode for current receiving. Used in app/Views/receivings/receiving.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function postChangeMode(): void
+    public function postChangeMode(): string
    {
        $stock_destination = $this->request->getPost('stock_destination', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $stock_source = $this->request->getPost('stock_source', FILTER_SANITIZE_NUMBER_INT);
@@ -121,49 +122,49 @@ class Receivings extends Secure_Controller
            $this->receiving_lib->set_stock_destination($stock_destination);
        }

-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();    // TODO: Hungarian notation
    }

    /**
     * Sets receiving comment. Used in app/Views/receivings/receiving.php
-     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSetComment(): void
+    public function postSetComment(): ResponseInterface
    {
        $this->receiving_lib->set_comment($this->request->getPost('comment', FILTER_SANITIZE_FULL_SPECIAL_CHARS));
+        return $this->response->setJSON(['success' => true]);
    }

    /**
     * Sets the print after sale flag for the receiving. Used in app/Views/receivings/receiving.php
-     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSetPrintAfterSale(): void
+    public function postSetPrintAfterSale(): ResponseInterface
    {
        $this->receiving_lib->set_print_after_sale($this->request->getPost('recv_print_after_sale') != null);
+        return $this->response->setJSON(['success' => true]);
    }

    /**
     * Sets the reference number for the receiving.  Used in app/Views/receivings/receiving.php
-     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSetReference(): void
+    public function postSetReference(): ResponseInterface
    {
        $this->receiving_lib->set_reference($this->request->getPost('recv_reference', FILTER_SANITIZE_FULL_SPECIAL_CHARS));
+        return $this->response->setJSON(['success' => true]);
    }

    /**
     * Add an item to the receiving. Used in app/Views/receivings/receiving.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function postAdd(): void
+    public function postAdd(): string
    {
        $data = [];

@@ -183,17 +184,17 @@ class Receivings extends Secure_Controller
            $data['error'] = lang('Receivings.unable_to_add_item');
        }

-        $this->_reload($data);    // TODO: Hungarian notation
+        return $this->_reload($data);    // TODO: Hungarian notation
    }

    /**
     * Edit line item in current receiving. Used in app/Views/receivings/receiving.php
     *
-     * @param $item_id
-     * @return void
+     * @param string|int|null $item_id
+     * @return string
     * @noinspection PhpUnused
     */
-    public function postEditItem($item_id): void
+    public function postEditItem($item_id): string
    {
        $data = [];

@@ -222,17 +223,16 @@ class Receivings extends Secure_Controller
            $data['error'] = lang('Receivings.error_editing_item');
        }

-        $this->_reload($data);    // TODO: Hungarian notation
+        return $this->_reload($data);    // TODO: Hungarian notation
    }

    /**
     * Edit a receiving. Used in app/Controllers/Receivings.php
-     *
     * @param $receiving_id
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getEdit($receiving_id): void
+    public function getEdit($receiving_id): string
    {
        $data = [];

@@ -241,73 +241,86 @@ class Receivings extends Secure_Controller
            $data['suppliers'][$supplier->person_id] = $supplier->first_name . ' ' . $supplier->last_name;
        }

+        $receiving_info = $this->receiving->get_info($receiving_id)->getRowArray();
+        
+        $current_employee_id = $this->employee->get_logged_in_employee_info()->person_id;
+        $can_assign_employee = $this->employee->has_grant('employees', $current_employee_id);
+
        $data['employees'] = [];
-        foreach ($this->employee->get_all()->getResult() as $employee) {
-            $data['employees'][$employee->person_id] = $employee->first_name . ' ' . $employee->last_name;
+        if ($can_assign_employee) {
+            foreach ($this->employee->get_all()->getResult() as $employee) {
+                $data['employees'][$employee->person_id] = $employee->first_name . ' ' . $employee->last_name;
+            }
+        } else {
+            $stored_employee_id = $receiving_info['employee_id'];
+            $stored_employee = $this->employee->get_info($stored_employee_id);
+            $data['employees'][$stored_employee_id] = $stored_employee->first_name . ' ' . $stored_employee->last_name;
        }

-        $receiving_info = $this->receiving->get_info($receiving_id)->getRowArray();
        $data['selected_supplier_name'] = !empty($receiving_info['supplier_id']) ? $receiving_info['company_name'] : '';
        $data['selected_supplier_id'] = $receiving_info['supplier_id'];
        $data['receiving_info'] = $receiving_info;
+        $data['can_assign_employee'] = $can_assign_employee;

-        echo view('receivings/form', $data);
+        return view('receivings/form', $data);
    }

    /**
     * Deletes an item from the current receiving. Used in app/Views/receivings/receiving.php
     *
     * @param $item_number
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getDeleteItem($item_number): void
+    public function getDeleteItem($item_number): string
    {
        $this->receiving_lib->delete_item($item_number);

-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();    // TODO: Hungarian notation
    }

    /**
     * @throws ReflectionException
+     * @return ResponseInterface
     */
-    public function postDelete(int $receiving_id = -1, bool $update_inventory = true): void
+    public function postDelete(int $receiving_id = -1, bool $update_inventory = true): ResponseInterface
    {
        $employee_id = $this->employee->get_logged_in_employee_info()->person_id;
        $receiving_ids = $receiving_id == -1 ? $this->request->getPost('ids', FILTER_SANITIZE_NUMBER_INT) : [$receiving_id];    // TODO: Replace -1 with constant

        if ($this->receiving->delete_list($receiving_ids, $employee_id, $update_inventory)) {    // TODO: Likely need to surround this block of code in a try-catch to catch the ReflectionException
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Receivings.successfully_deleted') . ' ' . count($receiving_ids) . ' ' . lang('Receivings.one_or_multiple'),
                'ids'     => $receiving_ids
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Receivings.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Receivings.cannot_be_deleted')]);
        }
    }

    /**
     * Removes a supplier from a receiving. Used in app/Views/receivings/receiving.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getRemoveSupplier(): void
+    public function getRemoveSupplier(): string
    {
        $this->receiving_lib->clear_reference();
        $this->receiving_lib->remove_supplier();

-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();    // TODO: Hungarian notation
    }

    /**
     * Complete and finalize receiving.  Used in app/Views/receivings/receiving.php
     *
+     * @return string
     * @throws ReflectionException
     * @noinspection PhpUnused
     */
-    public function postComplete(): void
+    public function postComplete(): string
    {

        $data = [];
@@ -356,18 +369,21 @@ class Receivings extends Secure_Controller

        $data['print_after_sale'] = $this->receiving_lib->is_print_after_sale();

-        echo view("receivings/receipt", $data);
+        $view = view("receivings/receipt", $data);

        $this->receiving_lib->clear_all();
+
+        return $view;
    }

    /**
     * Complete a receiving requisition. Used in app/Views/receivings/receiving.php.
     *
+     * @return string
     * @throws ReflectionException
     * @noinspection PhpUnused
     */
-    public function postRequisitionComplete(): void
+    public function postRequisitionComplete(): string
    {
        if ($this->receiving_lib->get_stock_source() != $this->receiving_lib->get_stock_destination()) {
            foreach ($this->receiving_lib->get_cart() as $item) {
@@ -376,11 +392,11 @@ class Receivings extends Secure_Controller
                $this->receiving_lib->add_item($item['item_id'], -$item['quantity'], $this->receiving_lib->get_stock_source(), $item['discount_type']);
            }

-            $this->postComplete();
+            return $this->postComplete();
        } else {
            $data['error'] = lang('Receivings.error_requisition');

-            $this->_reload($data);    // TODO: Hungarian notation
+            return $this->_reload($data);    // TODO: Hungarian notation
        }
    }

@@ -388,10 +404,10 @@ class Receivings extends Secure_Controller
     * Gets the receipt for a receiving. Used in app/Views/receivings/form.php
     *
     * @param $receiving_id
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getReceipt($receiving_id): void
+    public function getReceipt($receiving_id): string
    {
        $receiving_info = $this->receiving->get_info($receiving_id)->getRowArray();
        $this->receiving_lib->copy_entire_receiving($receiving_id);
@@ -424,16 +440,18 @@ class Receivings extends Secure_Controller

        $data['print_after_sale'] = false;

-        echo view("receivings/receipt", $data);
+        $view = view("receivings/receipt", $data);

        $this->receiving_lib->clear_all();
+
+        return $view;
    }

    /**
     * @param array $data
-     * @return void
+     * @return string
     */
-    private function _reload(array $data = []): void    // TODO: Hungarian notation
+    private function _reload(array $data = []): string    // TODO: Hungarian notation
    {
        $data['cart'] = $this->receiving_lib->get_cart();
        $data['modes'] = ['receive' => lang('Receivings.receiving'), 'return' => lang('Receivings.return')];
@@ -470,36 +488,47 @@ class Receivings extends Secure_Controller

        $data['print_after_sale'] = $this->receiving_lib->is_print_after_sale();

-        echo view("receivings/receiving", $data);
+        return view("receivings/receiving", $data);
    }

    /**
+     * @return ResponseInterface
     * @throws ReflectionException
     */
-    public function postSave(int $receiving_id = -1): void    // TODO: Replace -1 with a constant
+    public function postSave(int $receiving_id = -1): ResponseInterface    // TODO: Replace -1 with a constant
    {
        $newdate = $this->request->getPost('date', FILTER_SANITIZE_FULL_SPECIAL_CHARS);    // TODO: newdate does not follow naming conventions

        $date_formatter = date_create_from_format($this->config['dateformat'] . ' ' . $this->config['timeformat'], $newdate);
        $receiving_time = $date_formatter->format('Y-m-d H:i:s');

+        $current_employee_id = $this->employee->get_logged_in_employee_info()->person_id;
+        $submitted_employee_id = $this->request->getPost('employee_id', FILTER_SANITIZE_NUMBER_INT);
+
+        if (!$this->employee->has_grant('employees', $current_employee_id)) {
+            $existing_receiving = $this->receiving->get_info($receiving_id)->getRowArray();
+            $employee_id = $existing_receiving['employee_id'];
+        } else {
+            $employee_id = $submitted_employee_id;
+        }
+
        $receiving_data = [
            'receiving_time' => $receiving_time,
            'supplier_id'    => $this->request->getPost('supplier_id') ? $this->request->getPost('supplier_id', FILTER_SANITIZE_NUMBER_INT) : null,
-            'employee_id'    => $this->request->getPost('employee_id', FILTER_SANITIZE_NUMBER_INT),
+            'employee_id'    => $employee_id,
            'comment'        => $this->request->getPost('comment', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
            'reference'      => $this->request->getPost('reference') != '' ? $this->request->getPost('reference', FILTER_SANITIZE_FULL_SPECIAL_CHARS) : null
        ];

        $this->inventory->update('RECV ' . $receiving_id, ['trans_date' => $receiving_time]);
        if ($this->receiving->update($receiving_id, $receiving_data)) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Receivings.successfully_updated'),
                'id'      => $receiving_id
            ]);
        } else {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Receivings.unsuccessfully_updated'),
                'id'      => $receiving_id
@@ -510,13 +539,13 @@ class Receivings extends Secure_Controller
    /**
     * Cancel an in-process receiving. Used in app/Views/receivings/receiving.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function postCancelReceiving(): void
+    public function postCancelReceiving(): string
    {
        $this->receiving_lib->clear_all();

-        $this->_reload();    // TODO: Hungarian Notation
+        return $this->_reload();    // TODO: Hungarian Notation
    }
 }
--- a/app/Controllers/Reports.php
+++ b/app/Controllers/Reports.php
@@ -25,6 +25,7 @@ use App\Models\Reports\Summary_sales;
 use App\Models\Reports\Summary_sales_taxes;
 use App\Models\Reports\Summary_suppliers;
 use App\Models\Reports\Summary_taxes;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\OSPOS;
 use Config\Services;

@@ -84,7 +85,8 @@ class Reports extends Secure_Controller

            // Check access to report submodule
            if (!$this->employee->has_grant('reports_' . $submodule_id, $this->employee->get_logged_in_employee_info()->person_id)) {
-                redirect('no_access/reports/reports_' . $submodule_id);
+                header('Location: ' . base_url('no_access/reports/reports_' . $submodule_id));
+                exit();
            }
        }

@@ -101,8 +103,9 @@ class Reports extends Secure_Controller

    /**
     * Initial Report listing screen
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $person_id = $this->session->get('person_id');
        $grants = $this->employee->get_employee_grants($this->session->get('person_id'));
@@ -114,7 +117,7 @@ class Reports extends Secure_Controller
            'permission_ids' => $permissions_ids,
        ];

-        echo view('reports/listing', $data);
+        return view('reports/listing', $data);
    }

    /**
@@ -123,9 +126,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function summary_sales(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void    // TODO: Perhaps these need to be passed as an array?  Too many parameters in the signature.
+    public function summary_sales(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string    // TODO: Perhaps these need to be passed as an array?  Too many parameters in the signature.
    {   // TODO: Duplicated code
        $this->clearCache();

@@ -161,7 +164,7 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
@@ -170,9 +173,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function summary_categories(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function summary_categories(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicated code
        $this->clearCache();

@@ -207,7 +210,7 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
@@ -215,9 +218,9 @@ class Reports extends Secure_Controller
     * @param string $start_date
     * @param string $end_date
     * @param string $sale_type
-     * @return void
+     * @return string
     */
-    public function summary_expenses_categories(string $start_date, string $end_date, string $sale_type): void
+    public function summary_expenses_categories(string $start_date, string $end_date, string $sale_type): string
    {
        $this->clearCache();

@@ -244,7 +247,7 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
@@ -253,9 +256,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function summary_customers(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function summary_customers(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {
        $this->clearCache();

@@ -292,7 +295,7 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
@@ -301,9 +304,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function summary_suppliers(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function summary_suppliers(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -338,7 +341,7 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
@@ -347,9 +350,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function summary_items(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function summary_items(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {
        $this->clearCache();

@@ -388,7 +391,7 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
@@ -397,9 +400,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function summary_employees(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function summary_employees(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {
        $this->clearCache();

@@ -436,7 +439,7 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
@@ -445,9 +448,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function summary_taxes(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function summary_taxes(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicate Code
        $this->clearCache();

@@ -482,13 +485,14 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
     * Summary Sales Taxes report
+     * @return string
     */
-    public function summary_sales_taxes(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function summary_sales_taxes(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicated code
        $this->clearCache();

@@ -521,16 +525,16 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
     * Summary Discounts report input. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function summary_discounts_input(): void
+    public function summary_discounts_input(): string
    {
        $this->clearCache();

@@ -541,13 +545,14 @@ class Reports extends Secure_Controller
        $data['discount_type_options'] = ['0' => lang('Reports.discount_percent'), '1' => lang('Reports.discount_fixed')];
        $data['sale_type_options'] = $this->get_sale_type_options();

-        echo view('reports/date_input', $data);
+        return view('reports/date_input', $data);
    }

    /**
     * Summary Discounts report
+     * @return string
     **/
-    public function summary_discounts(string $start_date, string $end_date, string $sale_type, string $location_id = 'all', int $discount_type = 0): void
+    public function summary_discounts(string $start_date, string $end_date, string $sale_type, string $location_id = 'all', int $discount_type = 0): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -579,13 +584,14 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
     * Summary Payments report
+     * @return string
     */
-    public function summary_payments(string $start_date, string $end_date): void
+    public function summary_payments(string $start_date, string $end_date): string
    {
        $this->clearCache();

@@ -637,16 +643,16 @@ class Reports extends Secure_Controller
            'summary_data' => $summary
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
     * Input for reports that require only a date range. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function date_input(): void
+    public function date_input(): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -656,30 +662,30 @@ class Reports extends Secure_Controller
        $data['mode'] = 'sale';
        $data['sale_type_options'] = $this->get_sale_type_options();

-        echo view('reports/date_input', $data);
+        return view('reports/date_input', $data);
    }

    /**
     * Input for reports that require only a date range. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function date_input_only(): void
+    public function date_input_only(): string
    {
        $this->clearCache();

        $data = [];
-        echo view('reports/date_input', $data);
+        return view('reports/date_input', $data);
    }

    /**
     * Input for reports that require only a date range. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function date_input_sales(): void
+    public function date_input_sales(): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -689,23 +695,23 @@ class Reports extends Secure_Controller
        $data['mode'] = 'sale';
        $data['sale_type_options'] = $this->get_sale_type_options();

-        echo view('reports/date_input', $data);
+        return view('reports/date_input', $data);
    }

    /**
     * Receivings date input. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function date_input_recv(): void
+    public function date_input_recv(): string
    {
        $stock_locations = $data = $this->stock_location->get_allowed_locations('receivings');
        $stock_locations['all'] =  lang('Reports.all');
        $data['stock_locations'] = array_reverse($stock_locations, true);
        $data['mode'] = 'receiving';

-        echo view('reports/date_input', $data);
+        return view('reports/date_input', $data);
    }

    /**
@@ -714,10 +720,10 @@ class Reports extends Secure_Controller
     * @param string $start_date
     * @param string $end_date
     * @param string $sale_type
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function graphical_summary_expenses_categories(string $start_date, string $end_date, string $sale_type): void
+    public function graphical_summary_expenses_categories(string $start_date, string $end_date, string $sale_type): string
    {
        $this->clearCache();

@@ -750,7 +756,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -760,9 +766,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_sales(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_sales(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {
        $this->clearCache();

@@ -796,7 +802,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -806,9 +812,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_items(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_items(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {
        $this->clearCache();

@@ -843,7 +849,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -853,9 +859,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_categories(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_categories(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -886,7 +892,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -896,9 +902,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_suppliers(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_suppliers(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -931,7 +937,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -941,9 +947,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_employees(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_employees(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {
        $this->clearCache();

@@ -975,7 +981,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -985,9 +991,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_taxes(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_taxes(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -1019,7 +1025,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -1029,9 +1035,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_sales_taxes(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_sales_taxes(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -1063,7 +1069,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -1073,9 +1079,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_customers(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_customers(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -1109,7 +1115,7 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -1120,9 +1126,10 @@ class Reports extends Secure_Controller
     * @param string $sale_type
     * @param string $location_id ID of the location to be reported or 'all' if none is specified
     * @param int $discount_type
+     * @return string
     * @noinspection PhpUnused
     */
-    public function graphical_summary_discounts(string $start_date, string $end_date, string $sale_type, string $location_id = 'all', int $discount_type = 0): void
+    public function graphical_summary_discounts(string $start_date, string $end_date, string $sale_type, string $location_id = 'all', int $discount_type = 0): string
    {   // TODO: Duplicated Code
        $this->clearCache();

@@ -1157,7 +1164,7 @@ class Reports extends Secure_Controller
            'show_currency'  => false
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
@@ -1167,9 +1174,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function graphical_summary_payments(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function graphical_summary_payments(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {
        $this->clearCache();

@@ -1203,16 +1210,16 @@ class Reports extends Secure_Controller
            'show_currency'  => true
        ];

-        echo view('reports/graphical', $data);
+        return view('reports/graphical', $data);
    }

    /**
     * Gets the specific customer input view. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function specific_customer_input(): void
+    public function specific_customer_input(): string
    {
        $this->clearCache();

@@ -1230,7 +1237,7 @@ class Reports extends Secure_Controller
        $data['sale_type_options'] = $this->get_sale_type_options();

        $data['payment_type'] = $this->get_payment_type();
-        echo view('reports/specific_customer_input', $data);
+        return view('reports/specific_customer_input', $data);
    }

    /**
@@ -1257,10 +1264,10 @@ class Reports extends Secure_Controller
     * @param string $customer_id
     * @param string $sale_type
     * @param string $payment_type
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function specific_customers(string $start_date, string $end_date, string $customer_id, string $sale_type, string $payment_type): void
+    public function specific_customers(string $start_date, string $end_date, string $customer_id, string $sale_type, string $payment_type): string
    {
        $this->clearCache();

@@ -1351,16 +1358,16 @@ class Reports extends Secure_Controller
            'overall_summary_data' => $specific_customer->getSummaryData($inputs)
        ];

-        echo view('reports/tabular_details', $data);
+        return view('reports/tabular_details', $data);
    }

    /**
     * Detailed employee report input form. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function specific_employee_input(): void
+    public function specific_employee_input(): string
    {
        $this->clearCache();

@@ -1374,7 +1381,7 @@ class Reports extends Secure_Controller
        $data['specific_input_data'] = $employees;
        $data['sale_type_options'] = $this->get_sale_type_options();

-        echo view('reports/specific_input', $data);
+        return view('reports/specific_input', $data);
    }

    /**
@@ -1384,10 +1391,10 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $employee_id
     * @param string $sale_type
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function specific_employees(string $start_date, string $end_date, string $employee_id, string $sale_type): void
+    public function specific_employees(string $start_date, string $end_date, string $employee_id, string $sale_type): string
    {
        $this->clearCache();

@@ -1474,16 +1481,16 @@ class Reports extends Secure_Controller
            'overall_summary_data' => $specific_employee->getSummaryData($inputs)
        ];

-        echo view('reports/tabular_details', $data);
+        return view('reports/tabular_details', $data);
    }

    /**
     * Detailed discount report. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function specific_discount_input(): void
+    public function specific_discount_input(): string
    {
        $this->clearCache();

@@ -1498,7 +1505,7 @@ class Reports extends Secure_Controller
        $data['discount_type_options'] = ['0' => lang('Reports.discount_percent'), '1' => lang('Reports.discount_fixed')];
        $data['sale_type_options'] = $this->get_sale_type_options();

-        echo view('reports/specific_input', $data);
+        return view('reports/specific_input', $data);
    }

    /**
@@ -1509,10 +1516,10 @@ class Reports extends Secure_Controller
     * @param string $discount
     * @param string $sale_type
     * @param string $discount_type
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function specific_discounts(string $start_date, string $end_date, string $discount, string $sale_type, string $discount_type): void
+    public function specific_discounts(string $start_date, string $end_date, string $discount, string $sale_type, string $discount_type): string
    {
        $this->clearCache();

@@ -1605,17 +1612,17 @@ class Reports extends Secure_Controller
            'overall_summary_data' => $specific_discount->getSummaryData($inputs)
        ];

-        echo view('reports/tabular_details', $data);
+        return view('reports/tabular_details', $data);
    }

    /**
     * Gets the detailed sales data row for given sale_id. Used in app/Views/reports/tabular_details.php
     *
     * @param string $sale_id
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getGet_detailed_sales_row(string $sale_id): void
+    public function getGet_detailed_sales_row(string $sale_id): ResponseInterface
    {
        $this->clearCache();

@@ -1658,16 +1665,16 @@ class Reports extends Secure_Controller
            )
        ];

-        echo json_encode([$sale_id => $summary_data]);
+        return $this->response->setJSON([$sale_id => $summary_data]);
    }

    /**
     * Detailed Supplier report input form. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function specific_supplier_input(): void
+    public function specific_supplier_input(): string
    {
        $this->clearCache();

@@ -1681,7 +1688,7 @@ class Reports extends Secure_Controller
        $data['specific_input_data'] = $suppliers;
        $data['sale_type_options'] = $this->get_sale_type_options();

-        echo view('reports/specific_input', $data);
+        return view('reports/specific_input', $data);
    }

    /**
@@ -1691,9 +1698,9 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $supplier_id
     * @param string $sale_type
-     * @return void
+     * @return string
     */
-    public function specific_suppliers(string $start_date, string $end_date, string $supplier_id, string $sale_type): void
+    public function specific_suppliers(string $start_date, string $end_date, string $supplier_id, string $sale_type): string
    {
        $inputs = [
            'start_date'  => $start_date,
@@ -1736,7 +1743,7 @@ class Reports extends Secure_Controller
            'summary_data' => $specific_supplier->getSummaryData($inputs)
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
@@ -1763,13 +1770,13 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $sale_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function detailed_sales(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): void
+    public function detailed_sales(string $start_date, string $end_date, string $sale_type, string $location_id = 'all'): string
    {
        $this->clearCache();

-        $definition_names = $this->attribute->get_definitions_by_flags(attribute::SHOW_IN_SALES);
+        $definition_names = $this->attribute->get_definitions_by_flags(attribute::SHOW_IN_SALES, true);

        $inputs = [
            'start_date'     => $start_date,
@@ -1782,7 +1789,12 @@ class Reports extends Secure_Controller
        $this->detailed_sales->create($inputs);

        $columns = $this->detailed_sales->getDataColumns();
-        $columns['details'] = array_merge($columns['details'], $definition_names);
+        // Extract just names for column headers
+        $definitionHeaders = [];
+        foreach ($definition_names as $definition_id => $definitionInfo) {
+            $definitionHeaders[$definition_id] = $definitionInfo['name'];
+        }
+        $columns['details'] = array_merge($columns['details'], $definitionHeaders);

        $headers = $columns;

@@ -1869,17 +1881,17 @@ class Reports extends Secure_Controller
            'details_data_rewards' => $details_data_rewards,
            'overall_summary_data' => $this->detailed_sales->getSummaryData($inputs)
        ];
-        echo view('reports/tabular_details', $data);
+        return view('reports/tabular_details', $data);
    }

    /**
     * Returns detailed receivings row for given receiving_id. Used in app/Views/reports/tabular_details.php
     *
     * @param string $receiving_id
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getGet_detailed_receivings_row(string $receiving_id): void
+    public function getGet_detailed_receivings_row(string $receiving_id): ResponseInterface
    {
        $inputs = ['receiving_id' => $receiving_id];

@@ -1909,7 +1921,7 @@ class Reports extends Secure_Controller
            )
        ];

-        echo json_encode([$receiving_id => $summary_data]);
+        return $this->response->setJSON([$receiving_id => $summary_data]);
    }

    /**
@@ -1917,20 +1929,25 @@ class Reports extends Secure_Controller
     * @param string $end_date
     * @param string $receiving_type
     * @param string $location_id
-     * @return void
+     * @return string
     */
-    public function detailed_receivings(string $start_date, string $end_date, string $receiving_type, string $location_id = 'all'): void
+    public function detailed_receivings(string $start_date, string $end_date, string $receiving_type, string $location_id = 'all'): string
    {
        $this->clearCache();

-        $definition_names = $this->attribute->get_definitions_by_flags(attribute::SHOW_IN_RECEIVINGS);
+        $definition_names = $this->attribute->get_definitions_by_flags(attribute::SHOW_IN_RECEIVINGS, true);

        $inputs = ['start_date' => $start_date, 'end_date' => $end_date, 'receiving_type' => $receiving_type, 'location_id' => $location_id, 'definition_ids' => array_keys($definition_names)];

        $this->detailed_receivings->create($inputs);

        $columns = $this->detailed_receivings->getDataColumns();
-        $columns['details'] = array_merge($columns['details'], $definition_names);
+        // Extract just names for column headers
+        $definitionHeaders = [];
+        foreach ($definition_names as $definition_id => $definitionInfo) {
+            $definitionHeaders[$definition_id] = $definitionInfo['name'];
+        }
+        $columns['details'] = array_merge($columns['details'], $definitionHeaders);

        $headers = $columns;
        $report_data = $this->detailed_receivings->getData($inputs);
@@ -1993,13 +2010,13 @@ class Reports extends Secure_Controller
            'overall_summary_data' => $this->detailed_receivings->getSummaryData($inputs)
        ];

-        echo view('reports/tabular_details', $data);
+        return view('reports/tabular_details', $data);
    }

    /**
-     * @return void
+     * @return string
     */
-    public function inventory_low(): void
+    public function inventory_low(): string
    {
        $this->clearCache();

@@ -2028,16 +2045,16 @@ class Reports extends Secure_Controller
            'summary_data' => $inventory_low->getSummaryData($inputs)
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
     * Gets the inventory summary input view. Used in app/Config/Routes.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function inventory_summary_input(): void
+    public function inventory_summary_input(): string
    {
        $this->clearCache();

@@ -2048,15 +2065,15 @@ class Reports extends Secure_Controller
        $stock_locations['all'] = lang('Reports.all');
        $data['stock_locations'] = array_reverse($stock_locations, true);

-        echo view('reports/inventory_summary_input', $data);
+        return view('reports/inventory_summary_input', $data);
    }

    /**
     * @param string $location_id
     * @param string $item_count
-     * @return void
+     * @return string
     */
-    public function inventory_summary(string $location_id = 'all', string $item_count = 'all'): void
+    public function inventory_summary(string $location_id = 'all', string $item_count = 'all'): string
    {
        $this->clearCache();

@@ -2088,7 +2105,7 @@ class Reports extends Secure_Controller
            'summary_data' => $this->inventory_summary->getSummaryData($report_data)
        ];

-        echo view('reports/tabular', $data);
+        return view('reports/tabular', $data);
    }

    /**
--- a/app/Controllers/Sales.php
+++ b/app/Controllers/Sales.php
@@ -20,6 +20,8 @@ use App\Models\Stock_location;
 use App\Models\Tokens\Token_invoice_count;
 use App\Models\Tokens\Token_customer;
 use App\Models\Tokens\Token_invoice_sequence;
+use CodeIgniter\Events\Events;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;
 use Config\OSPOS;
 use ReflectionException;
@@ -65,27 +67,24 @@ class Sales extends Secure_Controller
        $this->employee = model(Employee::class);
    }

-    /**
-     * @return void
-     */
-    public function getIndex(): void
+    public function getIndex(): ResponseInterface|string
    {
        $this->session->set('allow_temp_items', 1);
-        $this->_reload();    // TODO: Hungarian Notation
+        return $this->_reload();    // TODO: Hungarian Notation
    }

    /**
     * Load the sale edit modal. Used in app/Views/sales/register.php.
     *
-     * @return void
+     * @return ResponseInterface|string
     * @noinspection PhpUnused
     */
-    public function getManage(): void
+    public function getManage(): ResponseInterface|string
    {
-        $person_id = $this->session->get('person_id');
+        $personId = $this->session->get('person_id');

-        if (!$this->employee->has_grant('reports_sales', $person_id)) {
-            redirect('no_access/sales/reports_sales');
+        if (!$this->employee->has_grant('reports_sales', $personId)) {
+            return redirect()->to('no_access/sales/reports_sales');
        } else {
            $data['table_headers'] = get_sales_manage_table_headers();

@@ -94,39 +93,52 @@ class Sales extends Secure_Controller
                'only_due'          => lang('Sales.due_filter'),
                'only_check'        => lang('Sales.check_filter'),
                'only_creditcard'   => lang('Sales.credit_filter'),
+                'only_debit'        => lang('Sales.debit'),
                'only_invoices'     => lang('Sales.invoice_filter'),
                'selected_customer' => lang('Sales.selected_customer')
            ];

            if ($this->sale_lib->get_customer() != -1) {
-                $selected_filters = ['selected_customer'];
+                $selectedFilters = ['selected_customer'];
                $data['customer_selected'] = true;
            } else {
                $data['customer_selected'] = false;
-                $selected_filters = [];
+                $selectedFilters = [];
            }
-            $data['selected_filters'] = $selected_filters;

-            echo view('sales/manage', $data);
+            // Restore filters from URL query string
+            $filters = restoreTableFilters($this->request);
+            if (!empty($filters['selected_filters'])) {
+                $selectedFilters = array_merge($selectedFilters, $filters['selected_filters']);
+            }
+            if (isset($filters['start_date'])) {
+                $data['start_date'] = $filters['start_date'];
+            }
+            if (isset($filters['end_date'])) {
+                $data['end_date'] = $filters['end_date'];
+            }
+            $data['selected_filters'] = $selectedFilters;
+
+            return view('sales/manage', $data);
        }
    }

    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $sale_info = $this->sale->get_info($row_id)->getRow();
        $data_row = get_sale_data_row($sale_info);

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -144,6 +156,7 @@ class Sales extends Secure_Controller
            'only_check'        => false,
            'selected_customer' => false,
            'only_creditcard'   => false,
+            'only_debit'        => false,
            'only_invoices'     => $this->config['invoice_enable'] && $this->request->getGet('only_invoices', FILTER_SANITIZE_NUMBER_INT),
            'is_valid_receipt'  => $this->sale->is_valid_receipt($search)
        ];
@@ -166,16 +179,16 @@ class Sales extends Secure_Controller
            $data_rows[] = get_sale_data_last_row($sales);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows, 'payment_summary' => $payment_summary]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows, 'payment_summary' => $payment_summary]);
    }

    /**
     * Gets search suggestions for an item or item kit. Used in app/Views/sales/register.php.
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getItemSearch(): void
+    public function getItemSearch(): ResponseInterface
    {
        $suggestions = [];
        $receipt = $search = $this->request->getGet('term') != ''
@@ -189,13 +202,13 @@ class Sales extends Secure_Controller
        $suggestions = array_merge($suggestions, $this->item->get_search_suggestions($search, ['search_custom' => false, 'is_deleted' => false], true));
        $suggestions = array_merge($suggestions, $this->item_kit->get_search_suggestions($search));

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function suggest_search(): void
+    public function suggest_search(): ResponseInterface
    {
        $search = $this->request->getPost('term') != ''
            ? $this->request->getPost('term')
@@ -203,16 +216,16 @@ class Sales extends Secure_Controller

        $suggestions = $this->sale->get_search_suggestions($search);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Set a given customer. Used in app/Views/sales/register.php.
     *
-     * @return void
+     * @return ResponseInterface|string
     * @noinspection PhpUnused
     */
-    public function postSelectCustomer(): void
+    public function postSelectCustomer(): ResponseInterface|string
    {
        $customer_id = (int)$this->request->getPost('customer', FILTER_SANITIZE_NUMBER_INT);
        if ($this->customer->exists($customer_id)) {
@@ -226,16 +239,16 @@ class Sales extends Secure_Controller
            }
        }

-        $this->_reload();
+        return $this->_reload();
    }

    /**
     * Changes the sale mode in the register to carry out different types of sales
     *
-     * @return void
+     * @return ResponseInterface|string
     * @noinspection PhpUnused
     */
-    public function postChangeMode(): void
+    public function postChangeMode(): ResponseInterface|string
    {
        $mode = $this->request->getPost('mode', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $this->sale_lib->set_mode($mode);
@@ -276,14 +289,14 @@ class Sales extends Secure_Controller

        $this->sale_lib->empty_payments();

-        $this->_reload();
+        return $this->_reload();
    }

    /**
     * @param int $sale_type
-     * @return void
+     * @return ResponseInterface|string
     */
-    public function change_register_mode(int $sale_type): void
+    public function change_register_mode(int $sale_type): ResponseInterface|string
    {
        $mode = match ($sale_type) {
            SALE_TYPE_QUOTE => 'sale_quote',
@@ -294,81 +307,87 @@ class Sales extends Secure_Controller
        };

        $this->sale_lib->set_mode($mode);
+        return $this->_reload();
    }


    /**
     * Sets the sales comment. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSetComment(): void
+    public function postSetComment(): ResponseInterface
    {
        $this->sale_lib->set_comment($this->request->getPost('comment', FILTER_SANITIZE_FULL_SPECIAL_CHARS));
+        return $this->response->setJSON(['success' => true]);
    }

    /**
     * Sets the invoice number. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSetInvoiceNumber(): void
+    public function postSetInvoiceNumber(): ResponseInterface|string
    {
        $this->sale_lib->set_invoice_number($this->request->getPost('sales_invoice_number', FILTER_SANITIZE_NUMBER_INT));
+        return $this->response->setJSON(['success' => true]);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSetPaymentType(): void    // TODO: This function does not appear to be called anywhere in the code.
+    public function postSetPaymentType(): ResponseInterface|string    // TODO: This function does not appear to be called anywhere in the code.
    {
        $this->sale_lib->set_payment_type($this->request->getPost('selected_payment_type', FILTER_SANITIZE_FULL_SPECIAL_CHARS));
-        $this->_reload();    // TODO: Hungarian notation.
+        return $this->_reload();    // TODO: Hungarian notation.
    }

    /**
     * Sets PrintAfterSale flag. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface|string
     * @noinspection PhpUnused
     */
-    public function postSetPrintAfterSale(): void
+    public function postSetPrintAfterSale(): ResponseInterface
    {
        $this->sale_lib->set_print_after_sale($this->request->getPost('sales_print_after_sale') != 'false');
+        return $this->response->setJSON(['success' => true]);
    }

    /**
     * Sets the flag to include prices in the work order. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSetPriceWorkOrders(): void
+    public function postSetPriceWorkOrders(): ResponseInterface
    {
        $price_work_orders = parse_decimals($this->request->getPost('price_work_orders'));
        $this->sale_lib->set_price_work_orders($price_work_orders);
+        return $this->response->setJSON(['success' => true]);
    }

    /**
     * Sets the flag to email receipt to the customer. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSetEmailReceipt(): void
+    public function postSetEmailReceipt(): ResponseInterface
    {
        $this->sale_lib->set_email_receipt($this->request->getPost('email_receipt', FILTER_SANITIZE_FULL_SPECIAL_CHARS));
+        return $this->response->setJSON(['success' => true]);
    }

    /**
     * Add a payment to the sale. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface|string
     * @noinspection PhpUnused
     */
-    public function postAddPayment(): void
+    public function postAddPayment(): ResponseInterface|string
    {
        $data = [];
        $giftcard = model(Giftcard::class);
@@ -453,32 +472,39 @@ class Sales extends Secure_Controller
            }
        }

-        $this->_reload($data);
+        Events::trigger('payment_initiated', [
+            'payment_type' => $payment_type,
+            'amount' => $amount_tendered ?? 0,
+            'sale_id' => $this->sale_lib->get_sale_id(),
+            'customer_id' => $this->sale_lib->get_customer(),
+        ]);
+
+        return $this->_reload($data);
    }

    /**
     * Multiple Payments. Used in app/Views/sales/register.php
     *
     * @param string $payment_id
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getDeletePayment(string $payment_id): void
+    public function getDeletePayment(string $payment_id): ResponseInterface|string
    {
        helper('url');

        $this->sale_lib->delete_payment(base64url_decode($payment_id));

-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();
    }

    /**
     * Add an item to the sale. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postAdd(): void
+    public function postAdd(): ResponseInterface|string
    {
        $data = [];

@@ -549,17 +575,17 @@ class Sales extends Secure_Controller
            }
        }

-        $this->_reload($data);
+        return $this->_reload($data);
    }

    /**
     * Edit an item in the sale. Used in app/Views/sales/register.php
     *
     * @param string $line
-     * @return void
+     * @return ResponseInterface|string
     * @noinspection PhpUnused
     */
-    public function postEditItem(string $line): void
+    public function postEditItem(string $line): ResponseInterface|string
    {
        $data = [];

@@ -594,33 +620,33 @@ class Sales extends Secure_Controller
            $data['error'] = lang('Sales.error_editing_item');
        }

-        $this->_reload($data);
+        return $this->_reload($data);
    }

    /**
     * Deletes an item specified in the parameter from the shopping cart. Used in app/Views/sales/register.php
     *
     * @param int $item_id
-     * @return void
+     * @return ResponseInterface
     * @throws ReflectionException
     * @noinspection PhpUnused
     */
-    public function getDeleteItem(int $item_id): void
+    public function getDeleteItem(int $item_id): ResponseInterface|string
    {
        $this->sale_lib->delete_item($item_id);

        $this->sale_lib->empty_payments();

-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();
    }

    /**
     * Remove the current customer from the sale. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getRemoveCustomer(): void
+    public function getRemoveCustomer(): ResponseInterface|string
    {
        $this->sale_lib->clear_giftcard_remainder();
        $this->sale_lib->clear_rewards_remainder();
@@ -629,17 +655,17 @@ class Sales extends Secure_Controller
        $this->sale_lib->clear_quote_number();
        $this->sale_lib->remove_customer();

-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();
    }

    /**
     * Complete and finalize a sale. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return string
     * @throws ReflectionException
     * @noinspection PhpUnused
     */
-    public function postComplete(): void    // TODO: this function is huge.  Probably should be refactored.
+    public function postComplete(): string    // TODO: this function is huge.  Probably should be refactored.
    {
        $sale_id = $this->sale_lib->get_sale_id();
        $data = [];
@@ -751,8 +777,11 @@ class Sales extends Secure_Controller
                $data['sale_status'] = COMPLETED;
                $sale_type = SALE_TYPE_INVOICE;

-                // The PHP file name is the same as the invoice_type key
-                $invoice_view = $this->config['invoice_type'];
+                $invoice_type = $this->config['invoice_type'];
+                if (!Sale_lib::isValidInvoiceType($invoice_type)) {
+                    $invoice_type = 'invoice';
+                }
+                $invoice_view = $invoice_type;

                // Save the data to the sales table
                $data['sale_id_num'] = $this->sale->save_value($sale_id, $data['sale_status'], $data['cart'], $customer_id, $employee_id, $data['comments'], $invoice_number, $work_order_number, $quote_number, $sale_type, $data['payments'], $data['dinner_table'], $tax_details);
@@ -765,8 +794,18 @@ class Sales extends Secure_Controller
                    $data['error_message'] = lang('Sales.transaction_failed');
                } else {
                    $data['barcode'] = $this->barcode_lib->generate_receipt_barcode($data['sale_id']);
-                    echo view('sales/' . $invoice_view, $data);
+                    
+                    Events::trigger('sale_completed', [
+                        'sale_id' => $data['sale_id_num'],
+                        'customer_id' => $customer_id,
+                        'employee_id' => $employee_id,
+                        'total' => $data['total'],
+                        'payments' => $data['payments'],
+                        'sale_type' => $sale_type,
+                    ]);
+                    
                    $this->sale_lib->clear_all();
+                    return view('sales/' . $invoice_view, $data);
                }
            }
        } elseif ($this->sale_lib->is_work_order_mode()) {
@@ -799,9 +838,8 @@ class Sales extends Secure_Controller

                $data['barcode'] = null;

-                echo view('sales/work_order', $data);
-                $this->sale_lib->clear_mode();
                $this->sale_lib->clear_all();
+                return view('sales/work_order', $data);
            }
        } elseif ($this->sale_lib->is_quote_mode()) {
            $data['sales_quote'] = lang('Sales.quote');
@@ -827,9 +865,8 @@ class Sales extends Secure_Controller
                $data['cart'] = $this->sale_lib->sort_and_filter_cart($data['cart']);
                $data['barcode'] = null;

-                echo view('sales/quote', $data);
-                $this->sale_lib->clear_mode();
                $this->sale_lib->clear_all();
+                return view('sales/quote', $data);
            }
        } else {
            // Save the data to the sales table
@@ -850,8 +887,18 @@ class Sales extends Secure_Controller
                $data['error_message'] = lang('Sales.transaction_failed');
            } else {
                $data['barcode'] = $this->barcode_lib->generate_receipt_barcode($data['sale_id']);
-                echo view('sales/receipt', $data);
+                
+                Events::trigger('sale_completed', [
+                    'sale_id' => $data['sale_id_num'],
+                    'customer_id' => $customer_id,
+                    'employee_id' => $employee_id,
+                    'total' => $data['total'],
+                    'payments' => $data['payments'],
+                    'sale_type' => $sale_type,
+                ]);
+                
                $this->sale_lib->clear_all();
+                return view('sales/receipt', $data);
            }
        }
    }
@@ -861,10 +908,10 @@ class Sales extends Secure_Controller
     *
     * @param int $sale_id
     * @param string $type
-     * @return bool
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSendPdf(int $sale_id, string $type = 'invoice'): bool
+    public function getSendPdf(int $sale_id, string $type = 'invoice'): ResponseInterface
    {
        $sale_data = $this->_load_sale_data($sale_id);

@@ -899,21 +946,19 @@ class Sales extends Secure_Controller
            $message = lang($result ? "Sales." . $type . "_sent" : "Sales." . $type . "_unsent") . ' ' . $to;
        }

-        echo json_encode(['success' => $result, 'message' => $message, 'id' => $sale_id]);
-
        $this->sale_lib->clear_all();

-        return $result;
+        return $this->response->setJSON(['success' => $result, 'message' => $message, 'id' => $sale_id]);
    }

    /**
     * Emails sales receipt to customer. Used in app/Views/sales/receipt.php
     *
     * @param int $sale_id
-     * @return bool
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSendReceipt(int $sale_id): bool
+    public function getSendReceipt(int $sale_id): ResponseInterface
    {
        $sale_data = $this->_load_sale_data($sale_id);

@@ -922,6 +967,13 @@ class Sales extends Secure_Controller

        if (!empty($sale_data['customer_email'])) {
            $sale_data['barcode'] = $this->barcode_lib->generate_receipt_barcode($sale_data['sale_id']);
+            $sale_data['img_tag'] = '';
+
+            $logo_path = FCPATH . 'uploads/' . $this->config['company_logo'];
+            if (!empty($this->config['company_logo']) && file_exists($logo_path)) {
+                $logo_data = base64_encode(file_get_contents($logo_path));
+                $sale_data['img_tag'] = '<img id="image" src="data:image/png;base64,' . $logo_data . '" alt="company_logo">';
+            }

            $to = $sale_data['customer_email'];
            $subject = lang('Sales.receipt');
@@ -934,11 +986,9 @@ class Sales extends Secure_Controller
            $message = lang($result ? 'Sales.receipt_sent' : 'Sales.receipt_unsent') . ' ' . $to;
        }

-        echo json_encode(['success' => $result, 'message' => $message, 'id' => $sale_id]);
-
        $this->sale_lib->clear_all();

-        return $result;
+        return $this->response->setJSON(['success' => $result, 'message' => $message, 'id' => $sale_id]);
    }

    /**
@@ -1100,6 +1150,9 @@ class Sales extends Secure_Controller
        }

        $invoice_type = $this->config['invoice_type'];
+        if (!Sale_lib::isValidInvoiceType($invoice_type)) {
+            $invoice_type = 'invoice';
+        }
        $data['invoice_view'] = $invoice_type;

        return $data;
@@ -1109,7 +1162,7 @@ class Sales extends Secure_Controller
     * @param array $data
     * @return void
     */
-    private function _reload(array $data = []): void    // TODO: Hungarian notation
+    private function _reload(array $data = []): ResponseInterface|string    // TODO: Hungarian notation
    {
        $sale_id = $this->session->get('sale_id');    // TODO: This variable is never used

@@ -1215,40 +1268,47 @@ class Sales extends Secure_Controller
            $data['customer_required'] = lang('Sales.customer_optional');
        }

-        echo view("sales/register", $data);
+        return view("sales/register", $data);
    }

    /**
     * Load the sales receipt for a sale. Used in app/Views/sales/form.php
     *
     * @param int $sale_id
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getReceipt(int $sale_id): void
+    public function getReceipt(int $sale_id): string
    {
        $data = $this->_load_sale_data($sale_id);
-        echo view('sales/receipt', $data);
        $this->sale_lib->clear_all();
+
+        return view('sales/receipt', $data);
    }

    /**
+     * Loads the sales invoice for a sale. Used in app/Views/sales/form.php
+     *
     * @param int $sale_id
-     * @return void
+     * @return string
+     * @noinspection PhpUnused
     */
-    public function getInvoice(int $sale_id): void
+    public function getInvoice(int $sale_id): string
    {
        $data = $this->_load_sale_data($sale_id);
-
-        echo view('sales/' . $data['invoice_view'], $data);
        $this->sale_lib->clear_all();
+
+        return view('sales/' . $data['invoice_view'], $data);
    }

    /**
+     * Edits an existing sale or work order. Used in app/Views/sales/form.php
+     *
     * @param int $sale_id
-     * @return void
+     * @return string
+     * @throws ReflectionException
     */
-    public function getEdit(int $sale_id): void
+    public function getEdit(int $sale_id): string
    {
        $data = [];

@@ -1293,30 +1353,32 @@ class Sales extends Secure_Controller

        $data['new_payment_options'] = $payment_options;

-        echo view('sales/form', $data);
+        return view('sales/form', $data);
    }

    /**
+     * @param int $sale_id
+     * @return ResponseInterface
     * @throws ReflectionException
     */
-    public function postDelete(int $sale_id = NEW_ENTRY, bool $update_inventory = true): void
+    public function postDelete(int $sale_id = NEW_ENTRY, bool $update_inventory = true): ResponseInterface
    {
        $employee_id = $this->employee->get_logged_in_employee_info()->person_id;
        $has_grant = $this->employee->has_grant('sales_delete', $employee_id);

        if (!$has_grant) {
-            echo json_encode(['success' => false, 'message' => lang('Sales.not_authorized')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Sales.not_authorized')]);
        } else {
            $sale_ids = $sale_id == NEW_ENTRY ? $this->request->getPost('ids', FILTER_SANITIZE_NUMBER_INT) : [$sale_id];

            if ($this->sale->delete_list($sale_ids, $employee_id, $update_inventory)) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Sales.successfully_deleted') . ' ' . count($sale_ids) . ' ' . lang('Sales.one_or_multiple'),
                    'ids'     => $sale_ids
                ]);
            } else {
-                echo json_encode(['success' => false, 'message' => lang('Sales.unsuccessfully_deleted')]);
+                return $this->response->setJSON(['success' => false, 'message' => lang('Sales.unsuccessfully_deleted')]);
            }
        }
    }
@@ -1324,26 +1386,26 @@ class Sales extends Secure_Controller
    /**
     * @param int $sale_id
     * @param bool $update_inventory
-     * @return void
+     * @return ResponseInterface
     */
-    public function restore(int $sale_id = NEW_ENTRY, bool $update_inventory = true): void
+    public function restore(int $sale_id = NEW_ENTRY, bool $update_inventory = true): ResponseInterface
    {
        $employee_id = $this->employee->get_logged_in_employee_info()->person_id;
        $has_grant = $this->employee->has_grant('sales_delete', $employee_id);

        if (!$has_grant) {
-            echo json_encode(['success' => false, 'message' => lang('Sales.not_authorized')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Sales.not_authorized')]);
        } else {
            $sale_ids = $sale_id == NEW_ENTRY ? $this->request->getPost('ids', FILTER_SANITIZE_NUMBER_INT) : [$sale_id];

            if ($this->sale->restore_list($sale_ids, $employee_id, $update_inventory)) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Sales.successfully_restored') . ' ' . count($sale_ids) . ' ' . lang('Sales.one_or_multiple'),
                    'ids'     => $sale_ids
                ]);
            } else {
-                echo json_encode(['success' => false, 'message' => lang('Sales.unsuccessfully_restored')]);
+                return $this->response->setJSON(['success' => false, 'message' => lang('Sales.unsuccessfully_restored')]);
            }
        }
    }
@@ -1352,9 +1414,10 @@ class Sales extends Secure_Controller
     * This saves the sale from the update sale view (sales/form).
     * It only updates the sales table and payments.
     * @param int $sale_id
+     * @return ResponseInterface
     * @throws ReflectionException
     */
-    public function postSave(int $sale_id = NEW_ENTRY): void
+    public function postSave(int $sale_id = NEW_ENTRY): ResponseInterface
    {
        $newdate = $this->request->getPost('date', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $employee_id = $this->employee->get_logged_in_employee_info()->person_id;
@@ -1435,9 +1498,9 @@ class Sales extends Secure_Controller

        $inventory->update('POS ' . $sale_id, ['trans_date' => $sale_time]);    // TODO: Reflection Exception
        if ($this->sale->update($sale_id, $sale_data)) {
-            echo json_encode(['success' => true, 'message' => lang('Sales.successfully_updated'), 'id' => $sale_id]);
+            return $this->response->setJSON(['success' => true, 'message' => lang('Sales.successfully_updated'), 'id' => $sale_id]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Sales.unsuccessfully_updated'), 'id' => $sale_id]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Sales.unsuccessfully_updated'), 'id' => $sale_id]);
        }
    }

@@ -1447,10 +1510,11 @@ class Sales extends Secure_Controller
     * Work orders can be canceled but are not physically removed from the sales history.
     * Used in app/Views/sales/register.php
     *
+     * @return ResponseInterface
     * @throws ReflectionException
     * @noinspection PhpUnused
     */
-    public function postCancel(): void
+    public function postCancel(): ResponseInterface|string
    {
        $sale_id = $this->sale_lib->get_sale_id();
        if ($sale_id != NEW_ENTRY && $sale_id != '') {
@@ -1472,32 +1536,32 @@ class Sales extends Secure_Controller
        }

        $this->sale_lib->clear_all();
-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();
    }

    /**
     * Discards the suspended sale. Used in app/Views/sales/quote.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getDiscardSuspendedSale(): void
+    public function getDiscardSuspendedSale(): ResponseInterface|string
    {
        $suspended_id = $this->sale_lib->get_suspended_id();
        $this->sale_lib->clear_all();
        $this->sale->delete_suspended_sale($suspended_id);
-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();
    }

    /**
     * Suspend the current sale.
     * If the current sale is already suspended then update the existing suspended sale otherwise create
-     * it as a new suspended sale. Used in app/Views/sales/register.php.
+     * it as a new suspended sale. Used in app/Views/sales/register.php
     *
-     * @throws ReflectionException
+     * @return ResponseInterface|string
     * @noinspection PhpUnused
     */
-    public function postSuspend(): void
+    public function postSuspend(): ResponseInterface|string
    {
        $sale_id = $this->sale_lib->get_sale_id();
        $dinner_table = $this->sale_lib->get_dinner_table();
@@ -1528,28 +1592,29 @@ class Sales extends Secure_Controller

        $this->sale_lib->clear_all();

-        $this->_reload($data);    // TODO: Hungarian notation
+        return $this->_reload($data);
    }

    /**
     * List suspended sales
+     * @return string
     */
-    public function getSuspended(): void
+    public function getSuspended(): string
    {
        $data = [];
        $customer_id = $this->sale_lib->get_customer();
        $data['suspended_sales'] = $this->sale->get_all_suspended($customer_id);
-        echo view('sales/suspended', $data);
+        return view('sales/suspended', $data);
    }

    /**
     * Unsuspended sales are now left in the tables and are only removed
     * when they are intentionally cancelled. Used in app/Views/sales/suspended.php.
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postUnsuspend(): void
+    public function postUnsuspend(): ResponseInterface|string
    {
        $sale_id = $this->request->getPost('suspended_sale_id', FILTER_SANITIZE_NUMBER_INT);
        $this->sale_lib->clear_all();
@@ -1561,32 +1626,32 @@ class Sales extends Secure_Controller
        // Set current register mode to reflect that of unsuspended order type
        $this->change_register_mode($this->sale_lib->get_sale_type());

-        $this->_reload();    // TODO: Hungarian notation
+        return $this->_reload();
    }

    /**
     * Show Keyboard shortcut modal. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getSalesKeyboardHelp(): void
+    public function getSalesKeyboardHelp(): string
    {
-        echo view('sales/help');
+        return view('sales/help');
    }

    /**
     * Check the validity of an invoice number. Used in app/Views/sales/form.php.
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postCheckInvoiceNumber(): void
+    public function postCheckInvoiceNumber(): ResponseInterface
    {
        $sale_id = $this->request->getPost('sale_id', FILTER_SANITIZE_NUMBER_INT);
        $invoice_number = $this->request->getPost('invoice_number', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
        $exists = !empty($invoice_number) && $this->sale->check_invoice_number_exists($invoice_number, $sale_id);
-        echo !$exists ? 'true' : 'false';
+        return $this->response->setJSON(!$exists ? 'true' : 'false');
    }

    /**
@@ -1613,10 +1678,10 @@ class Sales extends Secure_Controller
    /**
     * Update the item number in the register. Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postChangeItemNumber(): void
+    public function postChangeItemNumber(): ResponseInterface
    {
        $item_id = $this->request->getPost('item_id', FILTER_SANITIZE_NUMBER_INT);
        $item_number = $this->request->getPost('item_number', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -1632,10 +1697,10 @@ class Sales extends Secure_Controller
    /**
     * Change a given item name. Used in app/Views/sales/register.php.
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postChangeItemName(): void
+    public function postChangeItemName(): ResponseInterface
    {
        $item_id = $this->request->getPost('item_id', FILTER_SANITIZE_NUMBER_INT);
        $name = $this->request->getPost('item_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -1655,10 +1720,10 @@ class Sales extends Secure_Controller
    /**
     * Update the given item description.  Used in app/Views/sales/register.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postChangeItemDescription(): void
+    public function postChangeItemDescription(): ResponseInterface
    {
        $item_id = $this->request->getPost('item_id', FILTER_SANITIZE_NUMBER_INT);
        $description = $this->request->getPost('item_description', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
--- a/app/Controllers/Secure_Controller.php
+++ b/app/Controllers/Secure_Controller.php
@@ -4,7 +4,7 @@ namespace App\Controllers;

 use App\Models\Employee;
 use App\Models\Module;
-
+use CodeIgniter\HTTP\ResponseInterface;
 use CodeIgniter\Model;
 use CodeIgniter\Session\Session;
 use Config\OSPOS;
@@ -85,18 +85,17 @@ class Secure_Controller extends BaseController

    /**
     * AJAX function used to confirm whether values sent in the request are numeric
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getCheckNumeric(): void
+    public function getCheckNumeric(): ResponseInterface
    {
        foreach ($this->request->getGet() as $value) {
            if (parse_decimals($value) === false) {
-                echo 'false';
-                return;
+                return $this->response->setJSON('false');
            }
        }
-        echo 'true';
+        return $this->response->setJSON('true');
    }

    /**
--- a/app/Controllers/Suppliers.php
+++ b/app/Controllers/Suppliers.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Supplier;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;

 class Suppliers extends Persons
@@ -17,33 +18,33 @@ class Suppliers extends Persons
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_suppliers_manage_table_headers();

-        echo view('people/manage', $data);
+        return view('people/manage', $data);
    }

    /**
     * Gets one row for a supplier manage table. This is called using AJAX to update one row.
     * @param $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow($row_id): void
+    public function getRow($row_id): ResponseInterface
    {
        $data_row = get_supplier_data_row($this->supplier->get_info($row_id));
        $data_row['category'] = $this->supplier->get_category_name($data_row['category']);

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * Returns Supplier table data rows. This will be called with AJAX.
     * @return void
     **/
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -62,38 +63,39 @@ class Suppliers extends Persons
            $data_rows[] = $row;
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * Gives search suggestions based on what is being searched for
+     * @return ResponseInterface
     **/
-    public function getSuggest(): void
+    public function getSuggest(): ResponseInterface
    {
        $search = $this->request->getGet('term');
        $suggestions = $this->supplier->get_search_suggestions($search, true);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function suggest_search(): void
+    public function suggest_search(): ResponseInterface
    {
        $search = $this->request->getPost('term');
        $suggestions = $this->supplier->get_search_suggestions($search, false);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Loads the supplier edit form
     *
     * @param int $supplier_id
-     * @return void
+     * @return string
     */
-    public function getView(int $supplier_id = NEW_ENTRY): void
+    public function getView(int $supplier_id = NEW_ENTRY): string
    {
        $info = $this->supplier->get_info($supplier_id);
        foreach (get_object_vars($info) as $property => $value) {
@@ -102,16 +104,16 @@ class Suppliers extends Persons
        $data['person_info'] = $info;
        $data['categories'] = $this->supplier->get_categories();

-        echo view("suppliers/form", $data);
+        return view("suppliers/form", $data);
    }

    /**
     * Inserts/updates a supplier
     *
     * @param int $supplier_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $supplier_id = NEW_ENTRY): void
+    public function postSave(int $supplier_id = NEW_ENTRY): ResponseInterface
    {
        $first_name = $this->request->getPost('first_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);    // TODO: Duplicate code
        $last_name = $this->request->getPost('last_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -147,21 +149,21 @@ class Suppliers extends Persons
        if ($this->supplier->save_supplier($person_data, $supplier_data, $supplier_id)) {
            // New supplier
            if ($supplier_id == NEW_ENTRY) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Suppliers.successful_adding') . ' ' . $supplier_data['company_name'],
                    'id'      => $supplier_data['person_id']
                ]);
            } else { // Existing supplier

-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Suppliers.successful_updating') . ' ' . $supplier_data['company_name'],
                    'id'      => $supplier_id
                ]);
            }
        } else { // Failure
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Suppliers.error_adding_updating') . ' ' .     $supplier_data['company_name'],
                'id'      => NEW_ENTRY
@@ -172,19 +174,19 @@ class Suppliers extends Persons
    /**
     * This deletes suppliers from the suppliers table
     *
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $suppliers_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_NUMBER_INT);

        if ($this->supplier->delete_list($suppliers_to_delete)) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Suppliers.successful_deleted') . ' ' . count($suppliers_to_delete) . ' ' . lang('Suppliers.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Suppliers.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Suppliers.cannot_be_deleted')]);
        }
    }
 }
--- a/app/Controllers/Tax_categories.php
+++ b/app/Controllers/Tax_categories.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Tax_category;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;

 /**
@@ -20,13 +21,13 @@ class Tax_categories extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['tax_categories_table_headers'] = get_tax_categories_table_headers();

-        echo view('taxes/tax_categories', $data);
+        return view('taxes/tax_categories', $data);
    }

    /**
@@ -34,7 +35,7 @@ class Tax_categories extends Secure_Controller
     *
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit  = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -50,37 +51,37 @@ class Tax_categories extends Secure_Controller
            $data_rows[] = get_tax_categories_data_row($tax_category);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * @param $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow($row_id): void
+    public function getRow($row_id): ResponseInterface
    {
        $data_row = get_tax_categories_data_row($this->tax_category->get_info($row_id));

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @param int $tax_category_id
-     * @return void
+     * @return string
     */
-    public function getView(int $tax_category_id = NEW_ENTRY): void
+    public function getView(int $tax_category_id = NEW_ENTRY): string
    {
        $data['tax_category_info'] = $this->tax_category->get_info($tax_category_id);

-        echo view("taxes/tax_category_form", $data);
+        return view("taxes/tax_category_form", $data);
    }


    /**
     * @param int $tax_category_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $tax_category_id = NEW_ENTRY): void
+    public function postSave(int $tax_category_id = NEW_ENTRY): ResponseInterface
    {
        $tax_category_data = [
            'tax_category'       => $this->request->getPost('tax_category', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
@@ -91,20 +92,20 @@ class Tax_categories extends Secure_Controller
        if ($this->tax_category->save_value($tax_category_data, $tax_category_id)) {
            // New tax_category_id
            if ($tax_category_id == NEW_ENTRY) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Tax_categories.successful_adding'),
                    'id'      => $tax_category_data['tax_category_id']
                ]);
            } else {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Tax_categories.successful_updating'),
                    'id'      => $tax_category_id
                ]);
            }
        } else {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Tax_categories.error_adding_updating') . ' ' . $tax_category_data['tax_category'],
                'id'      => NEW_ENTRY
@@ -113,19 +114,19 @@ class Tax_categories extends Secure_Controller
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $tax_categories_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_NUMBER_INT);

        if ($this->tax_category->delete_list($tax_categories_to_delete)) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Tax_categories.successful_deleted') . ' ' . count($tax_categories_to_delete) . ' ' . lang('Tax_categories.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Tax_categories.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Tax_categories.cannot_be_deleted')]);
        }
    }
 }
--- a/app/Controllers/Tax_codes.php
+++ b/app/Controllers/Tax_codes.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Tax_code;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;

 /**
@@ -22,11 +23,11 @@ class Tax_codes extends Secure_Controller


    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
-        echo view('taxes/tax_codes', $this->get_data());
+        return view('taxes/tax_codes', $this->get_data());
    }

    /**
@@ -44,7 +45,7 @@ class Tax_codes extends Secure_Controller
     *
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit  = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -61,37 +62,37 @@ class Tax_codes extends Secure_Controller
            $data_rows[] = get_tax_code_data_row($tax_code);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $data_row = get_tax_code_data_row($this->tax_code->get_info($row_id));

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @param int $tax_code_id
-     * @return void
+     * @return string
     */
-    public function getView(int $tax_code_id = NEW_ENTRY): void
+    public function getView(int $tax_code_id = NEW_ENTRY): string
    {
        $data['tax_code_info'] = $this->tax_code->get_info($tax_code_id);

-        echo view("taxes/tax_code_form", $data);
+        return view("taxes/tax_code_form", $data);
    }


    /**
     * @param int $tax_code_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $tax_code_id = NEW_ENTRY): void
+    public function postSave(int $tax_code_id = NEW_ENTRY): ResponseInterface
    {
        $tax_code_data = [
            'tax_code'      => $this->request->getPost('tax_code', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
@@ -102,20 +103,20 @@ class Tax_codes extends Secure_Controller

        if ($this->tax_code->save($tax_code_data)) {
            if ($tax_code_id == NEW_ENTRY) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Tax_codes.successful_adding'),
                    'id'      => $tax_code_data['tax_code_id']
                ]);
            } else {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Tax_codes.successful_updating'),
                    'id'      => $tax_code_id
                ]);
            }
        } else {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Tax_codes.error_adding_updating') . ' ' . $tax_code_data['tax_code_id'],
                'id'      => NEW_ENTRY
@@ -124,19 +125,19 @@ class Tax_codes extends Secure_Controller
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $tax_codes_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_NUMBER_INT);

        if ($this->tax_code->delete_list($tax_codes_to_delete)) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Tax_codes.successful_deleted') . ' ' . count($tax_codes_to_delete) . ' ' . lang('Tax_codes.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Tax_codes.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Tax_codes.cannot_be_deleted')]);
        }
    }
 }
--- a/app/Controllers/Tax_jurisdictions.php
+++ b/app/Controllers/Tax_jurisdictions.php
@@ -3,6 +3,7 @@
 namespace App\Controllers;

 use App\Models\Tax_jurisdiction;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\Services;

 /**
@@ -23,13 +24,13 @@ class Tax_jurisdictions extends Secure_Controller


    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['table_headers'] = get_tax_jurisdictions_table_headers();

-        echo view('taxes/tax_jurisdictions', $data);
+        return view('taxes/tax_jurisdictions', $data);
    }

    /**
@@ -37,7 +38,7 @@ class Tax_jurisdictions extends Secure_Controller
     *
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit  = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -53,37 +54,37 @@ class Tax_jurisdictions extends Secure_Controller
            $data_rows[] = get_tax_jurisdictions_data_row($tax_jurisdiction);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $data_row = get_tax_jurisdictions_data_row($this->tax_jurisdiction->get_info($row_id));

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @param int $tax_jurisdiction_id
-     * @return void
+     * @return string
     */
-    public function getView(int $tax_jurisdiction_id = NEW_ENTRY): void
+    public function getView(int $tax_jurisdiction_id = NEW_ENTRY): string
    {
        $data['tax_jurisdiction_info'] = $this->tax_jurisdiction->get_info($tax_jurisdiction_id);

-        echo view("taxes/tax_jurisdiction_form", $data);
+        return view("taxes/tax_jurisdiction_form", $data);
    }


    /**
     * @param int $jurisdiction_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $jurisdiction_id = NEW_ENTRY): void
+    public function postSave(int $jurisdiction_id = NEW_ENTRY): ResponseInterface
    {
        $tax_jurisdiction_data = [
            'jurisdiction_name'   => $this->request->getPost('jurisdiction_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
@@ -92,20 +93,20 @@ class Tax_jurisdictions extends Secure_Controller

        if ($this->tax_jurisdiction->save_value($tax_jurisdiction_data)) {
            if ($jurisdiction_id == NEW_ENTRY) {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Tax_jurisdictions.successful_adding'),
                    'id'      => $tax_jurisdiction_data['jurisdiction_id']
                ]);
            } else {
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => true,
                    'message' => lang('Tax_jurisdictions.successful_updating'),
                    'id'      => $jurisdiction_id
                ]);
            }
        } else {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => false,
                'message' => lang('Tax_jurisdictions.error_adding_updating') . ' ' . $tax_jurisdiction_data['jurisdiction_name'],
                'id'      => NEW_ENTRY
@@ -114,19 +115,19 @@ class Tax_jurisdictions extends Secure_Controller
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $tax_jurisdictions_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_NUMBER_INT);

        if ($this->tax_jurisdiction->delete_list($tax_jurisdictions_to_delete)) {
-            echo json_encode([
+            return $this->response->setJSON([
                'success' => true,
                'message' => lang('Tax_jurisdictions.successful_deleted') . ' ' . count($tax_jurisdictions_to_delete) . ' ' . lang('Tax_jurisdictions.one_or_multiple')
            ]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Tax_jurisdictions.cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Tax_jurisdictions.cannot_be_deleted')]);
        }
    }
 }
--- a/app/Controllers/Taxes.php
+++ b/app/Controllers/Taxes.php
@@ -8,6 +8,7 @@ use App\Models\Tax;
 use App\Models\Tax_category;
 use App\Models\Tax_code;
 use App\Models\Tax_jurisdiction;
+use CodeIgniter\HTTP\ResponseInterface;
 use Config\OSPOS;
 use Config\Services;

@@ -36,9 +37,9 @@ class Taxes extends Secure_Controller
    }

    /**
-     * @return void
+     * @return string
     */
-    public function getIndex(): void
+    public function getIndex(): string
    {
        $data['tax_codes'] = $this->tax_code->get_all()->getResultArray();
        if (count($data['tax_codes']) == 0) {
@@ -67,7 +68,7 @@ class Taxes extends Secure_Controller

        $data['tax_type_options'] = $this->tax_lib->get_tax_type_options($data['default_tax_type']);

-        echo view('taxes/manage', $data);
+        return view('taxes/manage', $data);
    }

    /**
@@ -75,7 +76,7 @@ class Taxes extends Secure_Controller
     *
     * @return void
     */
-    public function getSearch(): void
+    public function getSearch(): ResponseInterface
    {
        $search = $this->request->getGet('search');
        $limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
@@ -92,50 +93,50 @@ class Taxes extends Secure_Controller
            $data_rows[] = get_tax_rates_data_row($tax_rate_row);
        }

-        echo json_encode(['total' => $total_rows, 'rows' => $data_rows]);
+        return $this->response->setJSON(['total' => $total_rows, 'rows' => $data_rows]);
    }

    /**
     * Gives search suggestions based on what is being searched for
+     * @return ResponseInterface
     */
-    public function suggest_search(): void
+    public function suggest_search(): ResponseInterface
    {
        $search = $this->request->getPost('term');
        $suggestions = $this->tax->get_search_suggestions($search);    // TODO: There is no get_search_suggestions function in the tax model

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Provides list of tax categories to select from
-     *
-     * @return void
+     * @return ResponseInterface
     */
-    public function suggest_tax_categories(): void
+    public function suggest_tax_categories(): ResponseInterface
    {
        $search = $this->request->getPost('term');
        $suggestions = $this->tax_category->get_tax_category_suggestions($search);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }


    /**
     * @param int $row_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function getRow(int $row_id): void
+    public function getRow(int $row_id): ResponseInterface
    {
        $data_row = get_tax_rates_data_row($this->tax->get_info($row_id));

-        echo json_encode($data_row);
+        return $this->response->setJSON($data_row);
    }

    /**
     * @param int $tax_code
-     * @return void
+     * @return string
     */
-    public function getView_tax_codes(int $tax_code = NEW_ENTRY): void
+    public function getView_tax_codes(int $tax_code = NEW_ENTRY): string
    {
        $tax_code_info = $this->tax->get_info($tax_code);

@@ -192,15 +193,15 @@ class Taxes extends Secure_Controller

        $data['tax_rates'] = $tax_rates;

-        echo view('taxes/tax_code_form', $data);
+        return view('taxes/tax_code_form', $data);
    }


    /**
     * @param int $tax_rate_id
-     * @return void
+     * @return string
     */
-    public function getView(int $tax_rate_id = NEW_ENTRY): void
+    public function getView(int $tax_rate_id = NEW_ENTRY): string
    {
        $tax_rate_info = $this->tax->get_info($tax_rate_id);

@@ -226,14 +227,14 @@ class Taxes extends Secure_Controller
            $data['tax_rate'] = $tax_rate_info->tax_rate;
        }

-        echo view('taxes/tax_rates_form', $data);
+        return view('taxes/tax_rates_form', $data);
    }

    /**
     * @param int $tax_code
-     * @return void
+     * @return string
     */
-    public function getView_tax_categories(int $tax_code = NEW_ENTRY): void    // TODO: This appears to be called no where in the code.
+    public function getView_tax_categories(int $tax_code = NEW_ENTRY): string    // TODO: This appears to be called no where in the code.
    {
        $tax_code_info = $this->tax->get_info($tax_code);    // TODO: Duplicated Code

@@ -290,14 +291,14 @@ class Taxes extends Secure_Controller

        $data['tax_rates'] = $tax_rates;

-        echo view('taxes/tax_category_form', $data);
+        return view('taxes/tax_category_form', $data);
    }

    /**
     * @param int $tax_code
-     * @return void
+     * @return string
     */
-    public function getView_tax_jurisdictions(int $tax_code = NEW_ENTRY): void // TODO: This appears to be called no where in the code.
+    public function getView_tax_jurisdictions(int $tax_code = NEW_ENTRY): string // TODO: This appears to be called no where in the code.
    {
        $tax_code_info = $this->tax->get_info($tax_code);    // TODO: Duplicated code

@@ -354,7 +355,7 @@ class Taxes extends Secure_Controller

        $data['tax_rates'] = $tax_rates;

-        echo view('taxes/tax_jurisdiction_form', $data);
+        return view('taxes/tax_jurisdiction_form', $data);
    }

    /**
@@ -367,9 +368,9 @@ class Taxes extends Secure_Controller

    /**
     * @param int $tax_rate_id
-     * @return void
+     * @return ResponseInterface
     */
-    public function postSave(int $tax_rate_id = NEW_ENTRY): void
+    public function postSave(int $tax_rate_id = NEW_ENTRY): ResponseInterface
    {
        $tax_category_id = $this->request->getPost('rate_tax_category_id', FILTER_SANITIZE_NUMBER_INT);
        $tax_rate = parse_tax($this->request->getPost('tax_rate'));
@@ -388,50 +389,50 @@ class Taxes extends Secure_Controller

        if ($this->tax->save_value($tax_rate_data, $tax_rate_id)) {
            if ($tax_rate_id == NEW_ENTRY) {    // TODO: this needs to be replaced with ternary notation
-                echo json_encode(['success' => true, 'message' => lang('Taxes.tax_rate_successfully_added')]);
+                return $this->response->setJSON(['success' => true, 'message' => lang('Taxes.tax_rate_successfully_added')]);
            } else { // Existing tax_code
-                echo json_encode(['success' => true, 'message' => lang('Taxes.tax_rate_successful_updated')]);
+                return $this->response->setJSON(['success' => true, 'message' => lang('Taxes.tax_rate_successful_updated')]);
            }
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Taxes.tax_rate_error_adding_updating')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Taxes.tax_rate_error_adding_updating')]);
        }
    }

    /**
-     * @return void
+     * @return ResponseInterface
     */
-    public function postDelete(): void
+    public function postDelete(): ResponseInterface
    {
        $tax_codes_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_NUMBER_INT);

        if ($this->tax->delete_list($tax_codes_to_delete)) {    // TODO: this needs to be replaced with ternary notation
-            echo json_encode(['success' => true, 'message' => lang('Taxes.tax_code_successful_deleted')]);
+            return $this->response->setJSON(['success' => true, 'message' => lang('Taxes.tax_code_successful_deleted')]);
        } else {
-            echo json_encode(['success' => false, 'message' => lang('Taxes.tax_code_cannot_be_deleted')]);
+            return $this->response->setJSON(['success' => false, 'message' => lang('Taxes.tax_code_cannot_be_deleted')]);
        }
    }

    /**
     * Get search suggestions for tax codes. Used in app/Views/customers/form.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function getSuggestTaxCodes(): void
+    public function getSuggestTaxCodes(): ResponseInterface
    {
        $search = $this->request->getPostGet('term');
        $suggestions = $this->tax_code->get_tax_codes_search_suggestions($search);

-        echo json_encode($suggestions);
+        return $this->response->setJSON($suggestions);
    }

    /**
     * Saves Tax Codes. Used in app/Views/taxes/tax_codes.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSave_tax_codes(): void
+    public function postSave_tax_codes(): ResponseInterface
    {
        $tax_code_id = $this->request->getPost('tax_code_id', FILTER_SANITIZE_NUMBER_INT);
        $tax_code = $this->request->getPost('tax_code', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -452,7 +453,7 @@ class Taxes extends Secure_Controller

        $success = $this->tax_code->save_tax_codes($array_save);

-        echo json_encode([
+        return $this->response->setJSON([
            'success' => $success,
            'message' => lang('Taxes.tax_codes_saved_' . ($success ? '' : 'un') . 'successfully')
        ]);
@@ -461,10 +462,10 @@ class Taxes extends Secure_Controller
    /**
     * Saves given tax jurisdiction. Used in app/Views/taxes/tax_jurisdictions.php.
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSave_tax_jurisdictions(): void
+    public function postSave_tax_jurisdictions(): ResponseInterface
    {
        $jurisdiction_id = $this->request->getPost('jurisdiction_id', FILTER_SANITIZE_NUMBER_INT);
        $jurisdiction_name = $this->request->getPost('jurisdiction_name', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -489,11 +490,10 @@ class Taxes extends Secure_Controller
            ];

            if (in_array($tax_group[$key], $unique_tax_groups)) {    // TODO: This can be replaced with `in_array($tax_group[$key], $unique_tax_groups)`
-                echo json_encode([
+                return $this->response->setJSON([
                    'success' => false,
                    'message' => lang('Taxes.tax_group_not_unique', [$tax_group[$key]])
                ]);
-                return;
            } else {
                $unique_tax_groups[] = $tax_group[$key];
            }
@@ -501,7 +501,7 @@ class Taxes extends Secure_Controller

        $success = $this->tax_jurisdiction->save_jurisdictions($array_save);

-        echo json_encode([
+        return $this->response->setJSON([
            'success' => $success,
            'message' => lang('Taxes.tax_jurisdictions_saved_' . ($success ? '' : 'un') . 'successfully')
        ]);
@@ -510,10 +510,10 @@ class Taxes extends Secure_Controller
    /**
     * Saves tax categories. Used in app/Views/taxes/tax_categories.php
     *
-     * @return void
+     * @return ResponseInterface
     * @noinspection PhpUnused
     */
-    public function postSave_tax_categories(): void
+    public function postSave_tax_categories(): ResponseInterface
    {
        $tax_category_id = $this->request->getPost('tax_category_id', FILTER_SANITIZE_NUMBER_INT);
        $tax_category = $this->request->getPost('tax_category', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
@@ -531,7 +531,7 @@ class Taxes extends Secure_Controller

        $success = $this->tax_category->save_categories($array_save);

-        echo json_encode([
+        return $this->response->setJSON([
            'success' => $success,
            'message' => lang('Taxes.tax_categories_saved_' . ($success ? '' : 'un') . 'successfully')
        ]);
@@ -540,36 +540,36 @@ class Taxes extends Secure_Controller
    /**
     * Gets tax codes partial view. Used in app/Views/taxes/tax_codes.php.
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getAjax_tax_codes(): void
+    public function getAjax_tax_codes(): string
    {
        $tax_codes = $this->tax_code->get_all()->getResultArray();

-        echo view('partial/tax_codes', ['tax_codes' => $tax_codes]);
+        return view('partial/tax_codes', ['tax_codes' => $tax_codes]);
    }

    /**
     * Gets current tax categories. Used in app/Views/taxes/tax_categories.php
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getAjax_tax_categories(): void
+    public function getAjax_tax_categories(): string
    {
        $tax_categories = $this->tax_category->get_all()->getResultArray();

-        echo view('partial/tax_categories', ['tax_categories' => $tax_categories]);
+        return view('partial/tax_categories', ['tax_categories' => $tax_categories]);
    }

    /**
     * Gets the tax jurisdiction partial view.  Used in app/Views/taxes/tax_jurisdictions.php.
     *
-     * @return void
+     * @return string
     * @noinspection PhpUnused
     */
-    public function getAjax_tax_jurisdictions(): void
+    public function getAjax_tax_jurisdictions(): string
    {
        $tax_jurisdictions = $this->tax_jurisdiction->get_all()->getResultArray();

@@ -581,7 +581,7 @@ class Taxes extends Secure_Controller

        $tax_types = $this->tax_lib->get_tax_types();

-        echo view('partial/tax_jurisdictions', [
+        return view('partial/tax_jurisdictions', [
            'tax_jurisdictions' => $tax_jurisdictions,
            'tax_types'         => $tax_types,
            'default_tax_type'  => $default_tax_type
--- a/app/Database/Migrations/20170501000000_initial_schema.php
+++ b/app/Database/Migrations/20170501000000_initial_schema.php
@@ -0,0 +1,60 @@
+<?php
+
+namespace App\Database\Migrations;
+
+use CodeIgniter\Database\Migration;
+
+class Migration_Initial_Schema extends Migration
+{
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    /**
+     * Perform a migration step.
+     * Only runs on fresh installs - skips if database already has tables.
+     *
+     * For testing: CI4's DatabaseTestTrait with $refresh=true handles table
+     * cleanup/creation automatically. This migration only loads initial schema
+     * on fresh databases where no application tables exist.
+     */
+    public function up(): void
+    {
+        // Check if core application tables exist (existing install)
+        // Note: migrations table may exist even on fresh DB due to migration tracking
+        $tables = $this->db->listTables();
+        
+        // Check for a core application table, not just migrations table
+        foreach ($tables as $table) {
+            // Strip prefix if present for comparison
+            $tableName = str_replace($this->db->getPrefix(), '', $table);
+            if (in_array($tableName, ['app_config', 'items', 'employees', 'people'])) {
+                // Database already populated - skip initial schema
+                // This is an existing installation upgrading from older version
+                return;
+            }
+        }
+        
+        // Fresh install - load initial schema
+        helper('migration');
+        execute_script(APPPATH . 'Database/Migrations/sqlscripts/initial_schema.sql');
+    }
+
+    /**
+     * Revert a migration step.
+     * Cannot revert initial schema - would lose all data.
+     */
+    public function down(): void
+    {
+        // Cannot safely revert initial schema
+        // Would require dropping all tables which would lose all data
+        $this->db->query('SET FOREIGN_KEY_CHECKS = 0');
+        
+        foreach ($this->db->listTables() as $table) {
+            $this->db->query('DROP TABLE IF EXISTS `' . $table . '`');
+        }
+        
+        $this->db->query('SET FOREIGN_KEY_CHECKS = 1');
+    }
+}
--- a/app/Database/Migrations/20170502221506_sales_tax_data.php
+++ b/app/Database/Migrations/20170502221506_sales_tax_data.php
@@ -267,6 +267,8 @@ class Migration_Sales_Tax_Data extends Migration
     */
    public function round_number(int $rounding_mode, string $amount, int $decimals): float
    {
+        $amount = (float)$amount;
+
        if ($rounding_mode == Migration_Sales_Tax_Data::ROUND_UP) {
            $fig = pow(10, $decimals);
            $rounded_total = (ceil($fig * $amount) + ceil($fig * $amount - ceil($fig * $amount))) / $fig;
@@ -376,7 +378,7 @@ class Migration_Sales_Tax_Data extends Migration
        $decimals = totals_decimals();

        foreach ($sales_taxes as $row_number => $sales_tax) {
-            $sale_tax_amount = $sales_tax['sale_tax_amount'];
+            $sale_tax_amount = (float)$sales_tax['sale_tax_amount'];
            $rounding_code = $sales_tax['rounding_code'];
            $rounded_sale_tax_amount = $sale_tax_amount;

--- a/app/Database/Migrations/20191008100000_receipttaxindicator.php
+++ b/app/Database/Migrations/20191008100000_receipttaxindicator.php
@@ -21,6 +21,6 @@ class Migration_receipttaxindicator extends Migration
     */
    public function down(): void
    {
-        $this->db->query('DELETE FROM ' . $this->db->prefixTable('app_config') . ' WHERE key = \'receipt_show_tax_ind\'');
+        $this->db->query('DELETE FROM ' . $this->db->prefixTable('app_config') . ' WHERE `key` = \'receipt_show_tax_ind\'');
    }
 }
--- a/app/Database/Migrations/20200202000000_taxamount.php
+++ b/app/Database/Migrations/20200202000000_taxamount.php
@@ -243,6 +243,8 @@ class Migration_TaxAmount extends Migration
     */
    public function round_number(int $rounding_mode, string $amount, int $decimals): float    // TODO: is this currency safe?
    {   // TODO: This needs to be converted to a switch
+        $amount = (float)$amount;
+
        if ($rounding_mode == Migration_TaxAmount::ROUND_UP) {    // TODO: === ?
            $fig = pow(10, $decimals);
            $rounded_total = (ceil($fig * $amount) + ceil($fig * $amount - ceil($fig * $amount))) / $fig;
@@ -354,7 +356,7 @@ class Migration_TaxAmount extends Migration
        $decimals = totals_decimals();

        foreach ($sales_taxes as $row_number => $sales_tax) {
-            $sale_tax_amount = $sales_tax['sale_tax_amount'];
+            $sale_tax_amount = (float)$sales_tax['sale_tax_amount'];
            $rounding_code = $sales_tax['rounding_code'];
            $rounded_sale_tax_amount = $sale_tax_amount;

--- a/app/Database/Migrations/20250521000000_FixImageFilenameSpaces.php
+++ b/app/Database/Migrations/20250521000000_FixImageFilenameSpaces.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace App\Database\Migrations;
+
+use CodeIgniter\Database\Migration;
+
+/**
+ * Migration to sanitize existing image filenames by replacing spaces with underscores
+ * This fixes issue #4372 where thumbnails failed to load for images with spaces in filenames
+ */
+class FixImageFilenameSpaces extends Migration
+{
+    /**
+     * Perform a migration.
+     */
+    public function up(): void
+    {
+        $db = \Config\Database::connect();
+        $builder = $db->table('ospos_items');
+        
+        // Get all items with pic_filename containing spaces
+        $query = $builder->like('pic_filename', ' ', 'both')->get();
+        $items = $query->getResult();
+        
+        foreach ($items as $item) {
+            $old_filename = $item->pic_filename;
+            $ext = pathinfo($old_filename, PATHINFO_EXTENSION);
+            $base_name = pathinfo($old_filename, PATHINFO_FILENAME);
+            
+            // Sanitize the filename by replacing spaces and special characters
+            $sanitized_name = preg_replace('/[^a-zA-Z0-9_\-\.]/', '_', $base_name);
+            $new_filename = $sanitized_name . '.' . $ext;
+            
+            // Rename the file on the filesystem
+            $old_path = FCPATH . 'uploads/item_pics/' . $old_filename;
+            $new_path = FCPATH . 'uploads/item_pics/' . $new_filename;
+            
+            if (file_exists($old_path)) {
+                // Rename the original file
+                if (rename($old_path, $new_path)) {
+                    // Check if thumbnail exists and rename it too
+                    $old_thumb = FCPATH . 'uploads/item_pics/' . $base_name . '_thumb.' . $ext;
+                    $new_thumb = FCPATH . 'uploads/item_pics/' . $sanitized_name . '_thumb.' . $ext;
+                    if (file_exists($old_thumb)) {
+                        rename($old_thumb, $new_thumb);
+                    }
+                    
+                    // Update database record
+                    $builder->where('item_id', $item->item_id)
+                        ->update(['pic_filename' => $new_filename]);
+                }
+            }
+        }
+    }
+
+    /**
+     * Revert a migration.
+     * Note: This migration does not support rollback as the original filenames are lost
+     */
+    public function down(): void
+    {
+        // This migration cannot be safely reversed as the original filenames are lost
+        // after sanitization.
+    }
+}
--- a/app/Database/Migrations/20260401000000_PaymentTransactions.php
+++ b/app/Database/Migrations/20260401000000_PaymentTransactions.php
@@ -0,0 +1,81 @@
+<?php
+
+namespace App\Database\Migrations;
+
+use CodeIgniter\Database\Migration;
+
+class Migration_PaymentTransactions extends Migration
+{
+    public function up(): void
+    {
+        $forge = \Config\Services::forge();
+        
+        $forge->addField([
+            'id' => [
+                'type' => 'INT',
+                'constraint' => 11,
+                'unsigned' => true,
+                'auto_increment' => true
+            ],
+            'provider_id' => [
+                'type' => 'VARCHAR',
+                'constraint' => 100,
+                'null' => false
+            ],
+            'sale_id' => [
+                'type' => 'INT',
+                'constraint' => 11,
+                'unsigned' => true,
+                'null' => true
+            ],
+            'transaction_id' => [
+                'type' => 'VARCHAR',
+                'constraint' => 255,
+                'null' => false
+            ],
+            'amount' => [
+                'type' => 'DECIMAL',
+                'constraint' => '15,2',
+                'null' => false
+            ],
+            'currency' => [
+                'type' => 'VARCHAR',
+                'constraint' => 3,
+                'default' => 'USD',
+                'null' => false
+            ],
+            'status' => [
+                'type' => 'ENUM',
+                'constraint' => ['pending', 'authorized', 'completed', 'failed', 'refunded', 'cancelled'],
+                'default' => 'pending',
+                'null' => false
+            ],
+            'metadata' => [
+                'type' => 'JSON',
+                'null' => true
+            ],
+            'created_at' => [
+                'type' => 'TIMESTAMP',
+                'null' => true
+            ],
+            'updated_at' => [
+                'type' => 'TIMESTAMP',
+                'null' => true
+            ]
+        ]);
+        
+        $forge->addKey('id', true);
+        $forge->addKey('provider_id');
+        $forge->addKey('sale_id');
+        $forge->addKey('transaction_id');
+        $forge->addKey('status');
+        
+        $forge->createTable('payment_transactions', true);
+    }
+
+    public function down(): void
+    {
+        $forge = \Config\Services::forge();
+        $forge->dropTable('payment_transactions', true);
+    }
+}
--- a/app/Database/Migrations/sqlscripts/initial_schema.sql
+++ b/app/Database/Migrations/sqlscripts/initial_schema.sql
@@ -730,3 +730,148 @@ CREATE TABLE `ospos_suppliers` (
 --
 -- Dumping data for table `ospos_suppliers`
 --
+--
+-- Constraints for dumped tables
+--
+
+--
+-- Constraints for table `ospos_customers`
+--
+ALTER TABLE `ospos_customers`
+    ADD CONSTRAINT `ospos_customers_ibfk_1` FOREIGN KEY (`person_id`) REFERENCES `ospos_people` (`person_id`);
+
+--
+-- Constraints for table `ospos_employees`
+--
+ALTER TABLE `ospos_employees`
+    ADD CONSTRAINT `ospos_employees_ibfk_1` FOREIGN KEY (`person_id`) REFERENCES `ospos_people` (`person_id`);
+
+--
+-- Constraints for table `ospos_inventory`
+--
+ALTER TABLE `ospos_inventory`
+    ADD CONSTRAINT `ospos_inventory_ibfk_1` FOREIGN KEY (`trans_items`) REFERENCES `ospos_items` (`item_id`),
+    ADD CONSTRAINT `ospos_inventory_ibfk_2` FOREIGN KEY (`trans_user`) REFERENCES `ospos_employees` (`person_id`),
+    ADD CONSTRAINT `ospos_inventory_ibfk_3` FOREIGN KEY (`trans_location`) REFERENCES `ospos_stock_locations` (`location_id`);
+
+--
+-- Constraints for table `ospos_items`
+--
+ALTER TABLE `ospos_items`
+    ADD CONSTRAINT `ospos_items_ibfk_1` FOREIGN KEY (`supplier_id`) REFERENCES `ospos_suppliers` (`person_id`);
+
+--
+-- Constraints for table `ospos_items_taxes`
+--
+ALTER TABLE `ospos_items_taxes`
+    ADD CONSTRAINT `ospos_items_taxes_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`) ON DELETE CASCADE;
+
+--
+-- Constraints for table `ospos_item_kit_items`
+--
+ALTER TABLE `ospos_item_kit_items`
+    ADD CONSTRAINT `ospos_item_kit_items_ibfk_1` FOREIGN KEY (`item_kit_id`) REFERENCES `ospos_item_kits` (`item_kit_id`) ON DELETE CASCADE,
+    ADD CONSTRAINT `ospos_item_kit_items_ibfk_2` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`)  ON DELETE CASCADE;
+
+--
+-- Constraints for table `ospos_permissions`
+--
+ALTER TABLE `ospos_permissions`
+    ADD CONSTRAINT `ospos_permissions_ibfk_1` FOREIGN KEY (`module_id`) REFERENCES `ospos_modules` (`module_id`) ON DELETE CASCADE,
+    ADD CONSTRAINT `ospos_permissions_ibfk_2` FOREIGN KEY (`location_id`) REFERENCES `ospos_stock_locations` (`location_id`) ON DELETE CASCADE;
+
+--
+-- Constraints for table `ospos_grants`
+--
+ALTER TABLE `ospos_grants`
+    ADD CONSTRAINT `ospos_grants_ibfk_1` foreign key (`permission_id`) references `ospos_permissions` (`permission_id`) ON DELETE CASCADE,
+    ADD CONSTRAINT `ospos_grants_ibfk_2` foreign key (`person_id`) references `ospos_employees` (`person_id`) ON DELETE CASCADE;
+
+--
+-- Constraints for table `ospos_receivings`
+--
+ALTER TABLE `ospos_receivings`
+    ADD CONSTRAINT `ospos_receivings_ibfk_1` FOREIGN KEY (`employee_id`) REFERENCES `ospos_employees` (`person_id`),
+    ADD CONSTRAINT `ospos_receivings_ibfk_2` FOREIGN KEY (`supplier_id`) REFERENCES `ospos_suppliers` (`person_id`);
+
+--
+-- Constraints for table `ospos_receivings_items`
+--
+ALTER TABLE `ospos_receivings_items`
+    ADD CONSTRAINT `ospos_receivings_items_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`),
+    ADD CONSTRAINT `ospos_receivings_items_ibfk_2` FOREIGN KEY (`receiving_id`) REFERENCES `ospos_receivings` (`receiving_id`);
+
+--
+-- Constraints for table `ospos_sales`
+--
+ALTER TABLE `ospos_sales`
+    ADD CONSTRAINT `ospos_sales_ibfk_1` FOREIGN KEY (`employee_id`) REFERENCES `ospos_employees` (`person_id`),
+    ADD CONSTRAINT `ospos_sales_ibfk_2` FOREIGN KEY (`customer_id`) REFERENCES `ospos_customers` (`person_id`);
+
+--
+-- Constraints for table `ospos_sales_items`
+--
+ALTER TABLE `ospos_sales_items`
+    ADD CONSTRAINT `ospos_sales_items_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`),
+    ADD CONSTRAINT `ospos_sales_items_ibfk_2` FOREIGN KEY (`sale_id`) REFERENCES `ospos_sales` (`sale_id`),
+    ADD CONSTRAINT `ospos_sales_items_ibfk_3` FOREIGN KEY (`item_location`) REFERENCES `ospos_stock_locations` (`location_id`);
+
+--
+-- Constraints for table `ospos_sales_items_taxes`
+--
+ALTER TABLE `ospos_sales_items_taxes`
+    ADD CONSTRAINT `ospos_sales_items_taxes_ibfk_1` FOREIGN KEY (`sale_id`,`item_id`,`line`) REFERENCES `ospos_sales_items` (`sale_id`,`item_id`,`line`),
+    ADD CONSTRAINT `ospos_sales_items_taxes_ibfk_2` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`);
+
+--
+-- Constraints for table `ospos_sales_payments`
+--
+ALTER TABLE `ospos_sales_payments`
+    ADD CONSTRAINT `ospos_sales_payments_ibfk_1` FOREIGN KEY (`sale_id`) REFERENCES `ospos_sales` (`sale_id`);
+
+--
+-- Constraints for table `ospos_sales_suspended`
+--
+ALTER TABLE `ospos_sales_suspended`
+    ADD CONSTRAINT `ospos_sales_suspended_ibfk_1` FOREIGN KEY (`employee_id`) REFERENCES `ospos_employees` (`person_id`),
+    ADD CONSTRAINT `ospos_sales_suspended_ibfk_2` FOREIGN KEY (`customer_id`) REFERENCES `ospos_customers` (`person_id`);
+
+--
+-- Constraints for table `ospos_sales_suspended_items`
+--
+ALTER TABLE `ospos_sales_suspended_items`
+    ADD CONSTRAINT `ospos_sales_suspended_items_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`),
+    ADD CONSTRAINT `ospos_sales_suspended_items_ibfk_2` FOREIGN KEY (`sale_id`) REFERENCES `ospos_sales_suspended` (`sale_id`),
+    ADD CONSTRAINT `ospos_sales_suspended_items_ibfk_3` FOREIGN KEY (`item_location`) REFERENCES `ospos_stock_locations` (`location_id`);
+
+--
+-- Constraints for table `ospos_sales_suspended_items_taxes`
+--
+ALTER TABLE `ospos_sales_suspended_items_taxes`
+    ADD CONSTRAINT `ospos_sales_suspended_items_taxes_ibfk_1` FOREIGN KEY (`sale_id`,`item_id`,`line`) REFERENCES `ospos_sales_suspended_items` (`sale_id`,`item_id`,`line`),
+    ADD CONSTRAINT `ospos_sales_suspended_items_taxes_ibfk_2` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`);
+
+--
+-- Constraints for table `ospos_sales_suspended_payments`
+--
+ALTER TABLE `ospos_sales_suspended_payments`
+    ADD CONSTRAINT `ospos_sales_suspended_payments_ibfk_1` FOREIGN KEY (`sale_id`) REFERENCES `ospos_sales_suspended` (`sale_id`);
+
+--
+-- Constraints for table `ospos_item_quantities`
+--
+ALTER TABLE `ospos_item_quantities`
+    ADD CONSTRAINT `ospos_item_quantities_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`),
+    ADD CONSTRAINT `ospos_item_quantities_ibfk_2` FOREIGN KEY (`location_id`) REFERENCES `ospos_stock_locations` (`location_id`);
+
+--
+-- Constraints for table `ospos_suppliers`
+--
+ALTER TABLE `ospos_suppliers`
+    ADD CONSTRAINT `ospos_suppliers_ibfk_1` FOREIGN KEY (`person_id`) REFERENCES `ospos_people` (`person_id`);
+
+--
+-- Constraints for table `ospos_giftcards`
+--
+ALTER TABLE `ospos_giftcards`
+    ADD CONSTRAINT `ospos_giftcards_ibfk_1` FOREIGN KEY (`person_id`) REFERENCES `ospos_people` (`person_id`);
--- a/app/Database/constraints.sql
+++ b/app/Database/constraints.sql
@@ -1,145 +0,0 @@
--
-- Constraints for dumped tables
--
-
--
-- Constraints for table `ospos_customers`
--
-ALTER TABLE `ospos_customers`
-    ADD CONSTRAINT `ospos_customers_ibfk_1` FOREIGN KEY (`person_id`) REFERENCES `ospos_people` (`person_id`);
-
--
-- Constraints for table `ospos_employees`
--
-ALTER TABLE `ospos_employees`
-    ADD CONSTRAINT `ospos_employees_ibfk_1` FOREIGN KEY (`person_id`) REFERENCES `ospos_people` (`person_id`);
-
--
-- Constraints for table `ospos_inventory`
--
-ALTER TABLE `ospos_inventory`
-    ADD CONSTRAINT `ospos_inventory_ibfk_1` FOREIGN KEY (`trans_items`) REFERENCES `ospos_items` (`item_id`),
-    ADD CONSTRAINT `ospos_inventory_ibfk_2` FOREIGN KEY (`trans_user`) REFERENCES `ospos_employees` (`person_id`),
-    ADD CONSTRAINT `ospos_inventory_ibfk_3` FOREIGN KEY (`trans_location`) REFERENCES `ospos_stock_locations` (`location_id`);
-
--
-- Constraints for table `ospos_items`
--
-ALTER TABLE `ospos_items`
-    ADD CONSTRAINT `ospos_items_ibfk_1` FOREIGN KEY (`supplier_id`) REFERENCES `ospos_suppliers` (`person_id`);
-
--
-- Constraints for table `ospos_items_taxes`
--
-ALTER TABLE `ospos_items_taxes`
-    ADD CONSTRAINT `ospos_items_taxes_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`) ON DELETE CASCADE;
-
--
-- Constraints for table `ospos_item_kit_items`
--
-ALTER TABLE `ospos_item_kit_items`
-    ADD CONSTRAINT `ospos_item_kit_items_ibfk_1` FOREIGN KEY (`item_kit_id`) REFERENCES `ospos_item_kits` (`item_kit_id`) ON DELETE CASCADE,
-    ADD CONSTRAINT `ospos_item_kit_items_ibfk_2` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`)  ON DELETE CASCADE;
-
--
-- Constraints for table `ospos_permissions`
--
-ALTER TABLE `ospos_permissions`
-    ADD CONSTRAINT `ospos_permissions_ibfk_1` FOREIGN KEY (`module_id`) REFERENCES `ospos_modules` (`module_id`) ON DELETE CASCADE,
-    ADD CONSTRAINT `ospos_permissions_ibfk_2` FOREIGN KEY (`location_id`) REFERENCES `ospos_stock_locations` (`location_id`) ON DELETE CASCADE;
-
--
-- Constraints for table `ospos_grants`
--
-ALTER TABLE `ospos_grants`
-    ADD CONSTRAINT `ospos_grants_ibfk_1` foreign key (`permission_id`) references `ospos_permissions` (`permission_id`) ON DELETE CASCADE,
-    ADD CONSTRAINT `ospos_grants_ibfk_2` foreign key (`person_id`) references `ospos_employees` (`person_id`) ON DELETE CASCADE;
-
--
-- Constraints for table `ospos_receivings`
--
-ALTER TABLE `ospos_receivings`
-    ADD CONSTRAINT `ospos_receivings_ibfk_1` FOREIGN KEY (`employee_id`) REFERENCES `ospos_employees` (`person_id`),
-    ADD CONSTRAINT `ospos_receivings_ibfk_2` FOREIGN KEY (`supplier_id`) REFERENCES `ospos_suppliers` (`person_id`);
-
--
-- Constraints for table `ospos_receivings_items`
--
-ALTER TABLE `ospos_receivings_items`
-    ADD CONSTRAINT `ospos_receivings_items_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`),
-    ADD CONSTRAINT `ospos_receivings_items_ibfk_2` FOREIGN KEY (`receiving_id`) REFERENCES `ospos_receivings` (`receiving_id`);
-
--
-- Constraints for table `ospos_sales`
--
-ALTER TABLE `ospos_sales`
-    ADD CONSTRAINT `ospos_sales_ibfk_1` FOREIGN KEY (`employee_id`) REFERENCES `ospos_employees` (`person_id`),
-    ADD CONSTRAINT `ospos_sales_ibfk_2` FOREIGN KEY (`customer_id`) REFERENCES `ospos_customers` (`person_id`);
-
--
-- Constraints for table `ospos_sales_items`
--
-ALTER TABLE `ospos_sales_items`
-    ADD CONSTRAINT `ospos_sales_items_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`),
-    ADD CONSTRAINT `ospos_sales_items_ibfk_2` FOREIGN KEY (`sale_id`) REFERENCES `ospos_sales` (`sale_id`),
-    ADD CONSTRAINT `ospos_sales_items_ibfk_3` FOREIGN KEY (`item_location`) REFERENCES `ospos_stock_locations` (`location_id`);
-
--
-- Constraints for table `ospos_sales_items_taxes`
--
-ALTER TABLE `ospos_sales_items_taxes`
-    ADD CONSTRAINT `ospos_sales_items_taxes_ibfk_1` FOREIGN KEY (`sale_id`,`item_id`,`line`) REFERENCES `ospos_sales_items` (`sale_id`,`item_id`,`line`),
-    ADD CONSTRAINT `ospos_sales_items_taxes_ibfk_2` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`);
-
--
-- Constraints for table `ospos_sales_payments`
--
-ALTER TABLE `ospos_sales_payments`
-    ADD CONSTRAINT `ospos_sales_payments_ibfk_1` FOREIGN KEY (`sale_id`) REFERENCES `ospos_sales` (`sale_id`);
-
--
-- Constraints for table `ospos_sales_suspended`
--
-ALTER TABLE `ospos_sales_suspended`
-    ADD CONSTRAINT `ospos_sales_suspended_ibfk_1` FOREIGN KEY (`employee_id`) REFERENCES `ospos_employees` (`person_id`),
-    ADD CONSTRAINT `ospos_sales_suspended_ibfk_2` FOREIGN KEY (`customer_id`) REFERENCES `ospos_customers` (`person_id`);
-
--
-- Constraints for table `ospos_sales_suspended_items`
--
-ALTER TABLE `ospos_sales_suspended_items`
-    ADD CONSTRAINT `ospos_sales_suspended_items_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`),
-    ADD CONSTRAINT `ospos_sales_suspended_items_ibfk_2` FOREIGN KEY (`sale_id`) REFERENCES `ospos_sales_suspended` (`sale_id`),
-    ADD CONSTRAINT `ospos_sales_suspended_items_ibfk_3` FOREIGN KEY (`item_location`) REFERENCES `ospos_stock_locations` (`location_id`);
-
--
-- Constraints for table `ospos_sales_suspended_items_taxes`
--
-ALTER TABLE `ospos_sales_suspended_items_taxes`
-    ADD CONSTRAINT `ospos_sales_suspended_items_taxes_ibfk_1` FOREIGN KEY (`sale_id`,`item_id`,`line`) REFERENCES `ospos_sales_suspended_items` (`sale_id`,`item_id`,`line`),
-    ADD CONSTRAINT `ospos_sales_suspended_items_taxes_ibfk_2` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`);
-
--
-- Constraints for table `ospos_sales_suspended_payments`
--
-ALTER TABLE `ospos_sales_suspended_payments`
-    ADD CONSTRAINT `ospos_sales_suspended_payments_ibfk_1` FOREIGN KEY (`sale_id`) REFERENCES `ospos_sales_suspended` (`sale_id`);
-
--
-- Constraints for table `ospos_item_quantities`
--
-ALTER TABLE `ospos_item_quantities`
-    ADD CONSTRAINT `ospos_item_quantities_ibfk_1` FOREIGN KEY (`item_id`) REFERENCES `ospos_items` (`item_id`),
-    ADD CONSTRAINT `ospos_item_quantities_ibfk_2` FOREIGN KEY (`location_id`) REFERENCES `ospos_stock_locations` (`location_id`);
-
--
-- Constraints for table `ospos_suppliers`
--
-ALTER TABLE `ospos_suppliers`
-    ADD CONSTRAINT `ospos_suppliers_ibfk_1` FOREIGN KEY (`person_id`) REFERENCES `ospos_people` (`person_id`);
-
--
-- Constraints for table `ospos_giftcards`
--
-ALTER TABLE `ospos_giftcards`
-    ADD CONSTRAINT `ospos_giftcards_ibfk_1` FOREIGN KEY (`person_id`) REFERENCES `ospos_people` (`person_id`);
--- a/app/Database/docker_mysql.cnf
+++ b/app/Database/docker_mysql.cnf
@@ -1,5 +1,5 @@
 [mysqld]
-sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
+sql_mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION"

 key_buffer        = 16M
 max_allowed_packet = 1M
--- a/app/Events/PaymentEvents.php
+++ b/app/Events/PaymentEvents.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace App\Events;
+
+use App\Libraries\Payments\PaymentProviderRegistry;
+use CodeIgniter\Events\Events;
+use Config\Services;
+
+class PaymentEvents
+{
+    public static function initialize(): void
+    {
+        Events::on('payment_initiated', [static::class, 'onPaymentInitiated']);
+        Events::on('payment_completed', [static::class, 'onPaymentCompleted']);
+        Events::on('payment_failed', [static::class, 'onPaymentFailed']);
+        Events::on('sale_completed', [static::class, 'onSaleCompleted']);
+    }
+
+    public static function onPaymentInitiated(array $data): void
+    {
+        log_message('debug', sprintf(
+            'Payment initiated: type=%s, amount=%s, sale_id=%s',
+            $data['payment_type'] ?? 'unknown',
+            $data['amount'] ?? 0,
+            $data['sale_id'] ?? 'pending'
+        ));
+    }
+
+    public static function onPaymentCompleted(array $data): void
+    {
+        log_message('debug', sprintf(
+            'Payment completed: type=%s, amount=%s, sale_id=%s',
+            $data['payment_type'] ?? 'unknown',
+            $data['amount'] ?? 0,
+            $data['sale_id'] ?? 'pending'
+        ));
+    }
+
+    public static function onPaymentFailed(array $data): void
+    {
+        log_message('warning', sprintf(
+            'Payment failed: type=%s, amount=%s, error=%s',
+            $data['payment_type'] ?? 'unknown',
+            $data['amount'] ?? 0,
+            $data['error'] ?? 'unknown error'
+        ));
+    }
+
+    public static function onSaleCompleted(array $data): void
+    {
+        log_message('info', sprintf(
+            'Sale completed: sale_id=%s, total=%s, payments=%s',
+            $data['sale_id'] ?? 'unknown',
+            $data['total'] ?? 0,
+            json_encode($data['payments'] ?? [])
+        ));
+    }
+}
--- a/app/Helpers/locale_helper.php
+++ b/app/Helpers/locale_helper.php
@@ -1,6 +1,7 @@
 <?php

 use App\Models\Employee;
+use CodeIgniter\Events\Events;
 use Config\OSPOS;

 /**
@@ -89,6 +90,8 @@ function get_languages(): array
        'pt-BR:portuguese'            => 'Portuguese (Brazil)',
        'ro:romanian'                 => 'Romanian',
        'ru:russian'                  => 'Russian',
+        'sw-KE:swahili'               => 'Swahili (Kenya)',
+        'sw-TZ:swahili'               => 'Swahili (Tanzania)',
        'sv:swedish'                  => 'Swedish',
        'ta:tamil'                    => 'Tamil',
        'th:thai'                     => 'Thai',
@@ -274,6 +277,12 @@ function get_payment_options(): array
        $payments[lang('Sales.upi')] = lang('Sales.upi');
    }

+    // Allow payment provider plugins to add additional payment options
+    $eventPayments = Events::trigger('payment_options', $payments);
+    if (is_array($eventPayments)) {
+        return $eventPayments;
+    }
+
    return $payments;
 }

--- a/app/Helpers/payment_helper.php
+++ b/app/Helpers/payment_helper.php
@@ -0,0 +1,64 @@
+<?php
+
+use App\Libraries\Payments\PaymentProviderRegistry;
+use CodeIgniter\Events\Events;
+
+if (!function_exists('register_payment_provider')) {
+    function register_payment_provider(App\Libraries\Payments\PaymentProviderInterface $provider): void
+    {
+        PaymentProviderRegistry::getInstance()->register($provider);
+    }
+}
+
+if (!function_exists('get_payment_providers')) {
+    function get_payment_providers(): array
+    {
+        return PaymentProviderRegistry::getInstance()->getProviders();
+    }
+}
+
+if (!function_exists('get_enabled_payment_providers')) {
+    function get_enabled_payment_providers(): array
+    {
+        return PaymentProviderRegistry::getInstance()->getEnabledProviders();
+    }
+}
+
+if (!function_exists('get_enabled_payment_types')) {
+    function get_enabled_payment_types(): array
+    {
+        return PaymentProviderRegistry::getInstance()->getEnabledPaymentTypes();
+    }
+}
+
+if (!function_exists('get_payment_provider')) {
+    function get_payment_provider(string $providerId): ?App\Libraries\Payments\PaymentProviderInterface
+    {
+        return PaymentProviderRegistry::getInstance()->getProvider($providerId);
+    }
+}
+
+if (!function_exists('get_payment_provider_for_type')) {
+    function get_payment_provider_for_type(string $paymentTypeKey): ?App\Libraries\Payments\PaymentProviderInterface
+    {
+        return PaymentProviderRegistry::getInstance()->getProviderForPaymentType($paymentTypeKey);
+    }
+}
+
+if (!function_exists('payment_provider_content')) {
+    function payment_provider_content(string $section, array $data = []): string
+    {
+        $results = Events::trigger("payment_view:{$section}", $data);
+        $output = '';
+        if (is_array($results)) {
+            foreach ($results as $result) {
+                if (is_string($result)) {
+                    $output .= $result;
+                }
+            }
+        } elseif (is_string($results)) {
+            $output = $results;
+        }
+        return $output;
+    }
+}
--- a/app/Helpers/tabular_helper.php
+++ b/app/Helpers/tabular_helper.php
@@ -48,7 +48,7 @@ function transform_headers(array $headers, bool $readonly = false, bool $editabl
            'field'      => key($element),
            'title'      => current($element),
            'switchable' => $element['switchable'] ?? !preg_match('(^$|&nbsp)', current($element)),
-            'escape'     => !preg_match("/(edit|email|messages|item_pic|customer_name|note)/", key($element)) && !(isset($element['escape']) && !$element['escape']),
+            'escape'     => !preg_match("/(edit|email|messages|item_pic)/", key($element)) && !(isset($element['escape']) && !$element['escape']),
            'sortable'   => $element['sortable'] ?? current($element) != '',
            'checkbox'   => $element['checkbox'] ?? false,
            'class'      => isset($element['checkbox']) || preg_match('(^$|&nbsp)', current($element)) ? 'print_hide' : '',
@@ -408,7 +408,7 @@ function get_items_manage_table_headers(): string
 {
    $attribute = model(Attribute::class);
    $config = config(OSPOS::class)->settings;
-    $definition_names = $attribute->get_definitions_by_flags($attribute::SHOW_IN_ITEMS);    // TODO: this should be made into a constant in constants.php
+    $definitionsWithTypes = $attribute->get_definitions_by_flags($attribute::SHOW_IN_ITEMS, true);

    $headers = item_headers();

@@ -420,8 +420,8 @@ function get_items_manage_table_headers(): string

    $headers[] = ['item_pic' => lang('Items.image'), 'sortable' => false];

-    foreach ($definition_names as $definition_id => $definition_name) {
-        $headers[] = [$definition_id => $definition_name, 'sortable' => false];
+    foreach ($definitionsWithTypes as $definition_id => $definitionInfo) {
+        $headers[] = [$definition_id => $definitionInfo['name'], 'sortable' => false];
    }

    $headers[] = ['inventory' => '', 'escape' => false];
@@ -470,7 +470,8 @@ function get_item_data_row(object $item): array
            : glob("./uploads/item_pics/$item->pic_filename");

        if (sizeof($images) > 0) {
-            $image .= '<a class="rollover" href="' . base_url($images[0]) . '"><img alt="Image thumbnail" src="' . site_url('items/PicThumb/' . pathinfo($images[0], PATHINFO_BASENAME)) . '"></a>';
+            $image_path = ltrim($images[0], './');
+            $image .= '<a class="rollover" href="' . base_url(implode('/', array_map('rawurlencode', explode('/', $image_path)))) . '"><img alt="Image thumbnail" src="' . site_url('items/PicThumb/' . rawurlencode(pathinfo($images[0], PATHINFO_BASENAME))) . '"></a>';
        }
    }

@@ -478,7 +479,7 @@ function get_item_data_row(object $item): array
        $item->name .= NAME_SEPARATOR . $item->pack_name;
    }

-    $definition_names = $attribute->get_definitions_by_flags($attribute::SHOW_IN_ITEMS);
+    $definition_names = $attribute->get_definitions_by_flags($attribute::SHOW_IN_ITEMS, true);

    $columns = [
        'items.item_id' => $item->item_id,
@@ -633,7 +634,7 @@ function parse_attribute_values(array $columns, array $row): array
 }

 /**
- * @param array $definition_names
+ * @param array $definition_names Array of definition_id => ['name' => name, 'type' => type] or definition_id => name
 * @param array $row
 * @return array
 */
@@ -650,10 +651,16 @@ function expand_attribute_values(array $definition_names, array $row): array
    }

    $attribute_values = [];
-    foreach ($definition_names as $definition_id => $definition_name) {
+    foreach ($definition_names as $definition_id => $definitionInfo) {
        if (isset($indexed_values[$definition_id])) {
-            $attribute_value = $indexed_values[$definition_id];
-            $attribute_values["$definition_id"] = $attribute_value;
+            $raw_value = $indexed_values[$definition_id];
+            
+            // Format DECIMAL attributes according to locale
+            if (is_array($definitionInfo) && isset($definitionInfo['type']) && $definitionInfo['type'] === DECIMAL) {
+                $attribute_values["$definition_id"] = to_decimals($raw_value);
+            } else {
+                $attribute_values["$definition_id"] = $raw_value;
+            }
        } else {
            $attribute_values["$definition_id"] = "";
        }
@@ -924,3 +931,24 @@ function get_controller(): string
    $controller_name_parts = explode('\\', $controller_name);
    return end($controller_name_parts);
 }
+
+/**
+ * Restores filter values from URL query string.
+ * 
+ * @param CodeIgniter\HTTP\IncomingRequest $request The request object
+ * @return array Array with 'start_date', 'end_date', and 'selected_filters' keys
+ */
+function restoreTableFilters($request): array
+{
+    $startDate = $request->getGet('start_date', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    $endDate = $request->getGet('end_date', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    $urlFilters = $request->getGet('filters', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+    
+    return array_filter([
+        'start_date' => $startDate ?: null,
+        'end_date' => $endDate ?: null,
+        'selected_filters' => $urlFilters ?? []
+    ], function($value) {
+        return $value !== null && $value !== [];
+    });
+}
--- a/app/Language/ar-EG/Attributes.php
+++ b/app/Language/ar-EG/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "هل أنت متأكد من أنك تريد حذف الميزات المحددة ؟",
    "confirm_restore"                  => "هل أنت متأكد من أنك تريد استعادة السمة (السمات) المحددة؟",
    "definition_cannot_be_deleted"     => "لا يمكن حذف السمات المحددة",
+    "definition_invalid_group" => "المجموعة المحددة غير موجودة أو غير صالحة.",
    "definition_error_adding_updating" => "لا يمكن إضافة السمة {0} أو تحديثها. يرجى التحقق من سجل الخطأ.",
    "definition_flags"                 => "رؤية الميزات",
    "definition_group"                 => "المجموعة",
--- a/app/Language/ar-EG/Calendar.php
+++ b/app/Language/ar-EG/Calendar.php
@@ -0,0 +1,49 @@
+<?php
+
+return [
+    "su"        => "أحد",
+    "mo"        => "اثنين",
+    "tu"        => "ثلاثاء",
+    "we"        => "أربعاء",
+    "th"        => "خميس",
+    "fr"        => "جمعة",
+    "sa"        => "سبت",
+    "sun"       => "الأحد",
+    "mon"       => "الاثنين",
+    "tue"       => "الثلاثاء",
+    "wed"       => "الأربعاء",
+    "thu"       => "الخميس",
+    "fri"       => "الجمعة",
+    "sat"       => "السبت",
+    "sunday"    => "الأحد",
+    "monday"    => "الاثنين",
+    "tuesday"   => "الثلاثاء",
+    "wednesday" => "الأربعاء",
+    "thursday"  => "الخميس",
+    "friday"    => "الجمعة",
+    "saturday"  => "السبت",
+    "jan"       => "يناير",
+    "feb"       => "فبراير",
+    "mar"       => "مارس",
+    "apr"       => "أبريل",
+    "may"       => "مايو",
+    "jun"       => "يونيو",
+    "jul"       => "يوليو",
+    "aug"       => "أغسطس",
+    "sep"       => "سبتمبر",
+    "oct"       => "أكتوبر",
+    "nov"       => "نوفمبر",
+    "dec"       => "ديسمبر",
+    "january"   => "يناير",
+    "february"  => "فبراير",
+    "march"     => "مارس",
+    "april"     => "أبريل",
+    "mayl"      => "مايو",
+    "june"      => "يونيو",
+    "july"      => "يوليو",
+    "august"    => "أغسطس",
+    "september" => "سبتمبر",
+    "october"   => "أكتوبر",
+    "november"  => "نوفمبر",
+    "december"  => "ديسمبر",
+];
--- a/app/Language/ar-EG/Employees.php
+++ b/app/Language/ar-EG/Employees.php
@@ -14,6 +14,8 @@ return [
    "current_password_invalid"     => "كلمة المرور الحالية غير صحيحة.",
    "employee"                     => "موظف",
    "error_adding_updating"        => "خطاء فى إضافة/تعديل موظف.",
+    "error_deleting_admin"         => "",
+    "error_updating_admin"         => "",
    "error_deleting_demo_admin"    => "لايمكن حذف المستخدم admin الخاص بنسخة العرض.",
    "error_updating_demo_admin"    => "لايمكن تغيير بيانات المستخدم admin الخاص بنسخة العرض.",
    "language"                     => "اللغة",
--- a/app/Language/ar-EG/Items.php
+++ b/app/Language/ar-EG/Items.php
@@ -26,6 +26,7 @@ return [
    "cost_price_required"                => "سعر التكلفة مطلوب.",
    "count"                              => "تحديث المخزون",
    "csv_import_failed"                  => "فشل الإستيراد من اكسل",
+    "csv_import_invalid_location"        => "",
    "csv_import_nodata_wrongformat"      => "الملف الذى رفعته إما فارغ أو أنه مختلف البنية.",
    "csv_import_partially_failed"        => "يوجد خطأ بنسبة {0} في استيراد الاصناف في السطر: {1}. لم يتم استيرادهم.",
    "csv_import_success"                 => "تم استيراد الأصناف بنجاح.",
--- a/app/Language/ar-EG/Receivings.php
+++ b/app/Language/ar-EG/Receivings.php
@@ -43,7 +43,7 @@ return [
    "start_typing_supplier_name"   => "ابداء بكتابة اسم المورد....",
    "stock"                        => "المخزون",
    "stock_destination"            => "المخزون المحول له",
-    "stock_locaiton"               => "مكان المخزون",
+    "stock_location"               => "مكان المخزون",
    "stock_source"                 => "مصدر المخزون",
    "successfully_deleted"         => "لقد تم الحذف",
    "successfully_updated"         => "لقد تم التحديث",
--- a/app/Language/ar-LB/Attributes.php
+++ b/app/Language/ar-LB/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "هل أنت متأكد من أنك تريد حذف الميزات المحددة ؟",
    "confirm_restore"                  => "هل أنت متأكد من أنك تريد استعادة السمة (السمات) المحددة؟",
    "definition_cannot_be_deleted"     => "لا يمكن حذف السمات المحددة",
+    "definition_invalid_group" => "المجموعة المحددة غير موجودة أو غير صالحة.",
    "definition_error_adding_updating" => "لا يمكن إضافة السمة {0} أو تحديثها. يرجى التحقق من سجل الخطأ.",
    "definition_flags"                 => "رؤية الميزات",
    "definition_group"                 => "المجموعة",
--- a/app/Language/ar-LB/Employees.php
+++ b/app/Language/ar-LB/Employees.php
@@ -14,6 +14,8 @@ return [
    "current_password_invalid"     => "كلمة المرور الحالية غير صحيحة.",
    "employee"                     => "موظف",
    "error_adding_updating"        => "خطاء فى إضافة/تعديل موظف.",
+    "error_deleting_admin"         => "",
+    "error_updating_admin"         => "",
    "error_deleting_demo_admin"    => "لايمكن حذف المستخدم admin الخاص بنسخة العرض.",
    "error_updating_demo_admin"    => "لايمكن تغيير بيانات المستخدم admin الخاص بنسخة العرض.",
    "language"                     => "اللغة",
--- a/app/Language/ar-LB/Items.php
+++ b/app/Language/ar-LB/Items.php
@@ -26,6 +26,7 @@ return [
    "cost_price_required"                => "سعر التكلفة مطلوب.",
    "count"                              => "تحديث المخزون",
    "csv_import_failed"                  => "فشل الإستيراد من اكسل",
+    "csv_import_invalid_location"        => "",
    "csv_import_nodata_wrongformat"      => "الملف الذى رفعته إما فارغ أو أنه مختلف البنية.",
    "csv_import_partially_failed"        => "يوجد خطأ بنسبة {0} في استيراد الاصناف في السطر: {1}. لم يتم استيرادهم.",
    "csv_import_success"                 => "تم استيراد الأصناف بنجاح.",
--- a/app/Language/ar-LB/Receivings.php
+++ b/app/Language/ar-LB/Receivings.php
@@ -43,7 +43,7 @@ return [
    "start_typing_supplier_name"   => "ابداء بكتابة اسم المورد....",
    "stock"                        => "المخزون",
    "stock_destination"            => "المخزون المحول له",
-    "stock_locaiton"               => "مكان المخزون",
+    "stock_location"               => "مكان المخزون",
    "stock_source"                 => "مصدر المخزون",
    "successfully_deleted"         => "لقد تم الحذف",
    "successfully_updated"         => "لقد تم التحديث",
--- a/app/Language/az/Attributes.php
+++ b/app/Language/az/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "Seçilmiş Atributları silmək istədiyinizdən əminsinizmi?",
    "confirm_restore"                  => "Seçilmiş atributları bərpa etmək istədiyinizə əminsinizmi?",
    "definition_cannot_be_deleted"     => "Seçilmiş xüsusiyyətləri silmək olmadı",
+    "definition_invalid_group" => "",
    "definition_error_adding_updating" => "{0} -in atributları əlavə oluna və yenilənə bilmədi. Lütfən XƏTA loq faylını yoxlayın.",
    "definition_flags"                 => "Atribut görünüşü",
    "definition_group"                 => "Qrup",
--- a/app/Language/az/Employees.php
+++ b/app/Language/az/Employees.php
@@ -14,6 +14,8 @@ return [
    "current_password_invalid"     => "Hazirki Şifrə düzgün deyil.",
    "employee"                     => "Əməkdaş",
    "error_adding_updating"        => "Əməkdaş əlavə etməsk və ya yeniləməsi baş vermədi.",
+    "error_deleting_admin"         => "",
+    "error_updating_admin"         => "",
    "error_deleting_demo_admin"    => "Demo administrator istifadəçisini silə bilməzsiniz.",
    "error_updating_demo_admin"    => "Demo administrator istifadəçisini dəyişə bilməzsiniz.",
    "language"                     => "Dil",
--- a/app/Language/az/Items.php
+++ b/app/Language/az/Items.php
@@ -26,6 +26,7 @@ return [
    "cost_price_required"                => "Topdan satiış - doldurulması vacib sahə.",
    "count"                              => "inventorun yenilənməsi",
    "csv_import_failed"                  => "səhv csv import",
+    "csv_import_invalid_location"        => "",
    "csv_import_nodata_wrongformat"      => "Yüklənmiş faylda məlumat yoxdur və ya düzgün formatlanmır.",
    "csv_import_partially_failed"        => "Xətlərdə {0} element idxalı uğursuzluq (lar) var: {1}. Heç bir sıra idxal edilmədi.",
    "csv_import_success"                 => "Malların İdxalı Uğurla Həyata Keçdi.",
--- a/app/Language/az/Receivings.php
+++ b/app/Language/az/Receivings.php
@@ -43,7 +43,7 @@ return [
    "start_typing_supplier_name"   => "Təchizatçıın adını yazmağa başlayın ...",
    "stock"                        => "Ehtiyyat",
    "stock_destination"            => "Ehtiyyatın Hədəfi",
-    "stock_locaiton"               => "Ehtiyyatın Yeri",
+    "stock_location"               => "Ehtiyyatın Yeri",
    "stock_source"                 => "Ehtiyyatın Mənbəyi",
    "successfully_deleted"         => "cəmi",
    "successfully_updated"         => "alışda sehv var",
--- a/app/Language/bg/Attributes.php
+++ b/app/Language/bg/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "",
    "confirm_restore"                  => "",
    "definition_cannot_be_deleted"     => "",
+    "definition_invalid_group" => "",
    "definition_error_adding_updating" => "",
    "definition_flags"                 => "",
    "definition_group"                 => "",
--- a/app/Language/bg/Employees.php
+++ b/app/Language/bg/Employees.php
@@ -14,6 +14,8 @@ return [
    "current_password_invalid"     => "Текущата парола е невалидна.",
    "employee"                     => "Служител",
    "error_adding_updating"        => "Добавянето или актуализирането на служителите е неуспешно.",
+    "error_deleting_admin"         => "",
+    "error_updating_admin"         => "",
    "error_deleting_demo_admin"    => "Не може да изтриете Пробният Администратор.",
    "error_updating_demo_admin"    => "Не може да промените Пробният Администратор.",
    "language"                     => "Език",
--- a/app/Language/bg/Items.php
+++ b/app/Language/bg/Items.php
@@ -26,6 +26,7 @@ return [
    "cost_price_required"                => "Wholesale Price is a required field.",
    "count"                              => "Update Inventory",
    "csv_import_failed"                  => "CSV import failed",
+    "csv_import_invalid_location"        => "",
    "csv_import_nodata_wrongformat"      => "The uploaded file has no data or is formatted incorrectly.",
    "csv_import_partially_failed"        => "Item import successful with some failures:",
    "csv_import_success"                 => "Item import successful.",
--- a/app/Language/bg/Receivings.php
+++ b/app/Language/bg/Receivings.php
@@ -43,7 +43,7 @@ return [
    "start_typing_supplier_name"   => "Start Typing Supplier's name...",
    "stock"                        => "",
    "stock_destination"            => "Stock Destination",
-    "stock_locaiton"               => "Stock Location",
+    "stock_location"               => "Stock Location",
    "stock_source"                 => "Stock Source",
    "successfully_deleted"         => "You have successfully deleted",
    "successfully_updated"         => "Receiving successfully updated",
--- a/app/Language/bs/Attributes.php
+++ b/app/Language/bs/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "Da li ste sigurni da želite da izbrišete izabrani atribut?",
    "confirm_restore"                  => "Da li ste sigurni da želite vratiti izabrane atribute?",
    "definition_cannot_be_deleted"     => "Nije moguće izbrisati izabrane atribut",
+    "definition_invalid_group" => "",
    "definition_error_adding_updating" => "Atribut {0} nije moguće dodati ili ažurirati. Molimo provjerite dnevnik grešaka.",
    "definition_flags"                 => "Vidljivost atributa",
    "definition_group"                 => "Grupa",
--- a/app/Language/bs/Employees.php
+++ b/app/Language/bs/Employees.php
@@ -14,6 +14,8 @@ return [
    "current_password_invalid"     => "Trenutna lozinka je nevažeća.",
    "employee"                     => "Zaposlenik",
    "error_adding_updating"        => "Dodavanje ili ažuriranje zaposlenika nije uspjelo.",
+    "error_deleting_admin"         => "",
+    "error_updating_admin"         => "",
    "error_deleting_demo_admin"    => "Ne možete izbrisati demo korisnika administratora.",
    "error_updating_demo_admin"    => "Ne možete promijeniti korisnika demo administratora.",
    "language"                     => "Jezik",
--- a/app/Language/bs/Items.php
+++ b/app/Language/bs/Items.php
@@ -26,6 +26,7 @@ return [
    "cost_price_required"                => "Fakturna cijena je obavezno polje.",
    "count"                              => "Ažuriraj zalihu",
    "csv_import_failed"                  => "Uvoz CSV-a nije uspio",
+    "csv_import_invalid_location"        => "",
    "csv_import_nodata_wrongformat"      => "Učitana CSV datoteka nema podatke ili je pogrešno formatirana.",
    "csv_import_partially_failed"        => "Bilo je {0} grešaka pri uvozu stavke na liniji: {1}. Nijedan red nije uvezen.",
    "csv_import_success"                 => "Uvoz CSV stavke je uspješan.",
--- a/app/Language/bs/Receivings.php
+++ b/app/Language/bs/Receivings.php
@@ -43,7 +43,7 @@ return [
    "start_typing_supplier_name"   => "Počnite upisivati ime dobavljača ...",
    "stock"                        => "Skladište",
    "stock_destination"            => "Destinacija skladišta",
-    "stock_locaiton"               => "Lokacija zaliha",
+    "stock_location"               => "Lokacija zaliha",
    "stock_source"                 => "Izvor zaliha",
    "successfully_deleted"         => "Uspješno ste izbrisali prijem",
    "successfully_updated"         => "Uspješno ste ažurirali prijem",
--- a/app/Language/ckb/Attributes.php
+++ b/app/Language/ckb/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "ئایا دڵنیای کە دەتەوێت تایبەتمەندییە هەڵبژێردراوەکە(کان) بسڕیتەوە؟",
    "confirm_restore"                  => "ئایا دڵنیای کە دەتەوێت تایبەتمەندییە هەڵبژێردراوەکە(کان) بگەڕێنیتەوە؟",
    "definition_cannot_be_deleted"     => "نەتوانرا تایبەتمەندی هەڵبژێردراو بسڕدرێتەوە",
+    "definition_invalid_group" => "",
    "definition_error_adding_updating" => "تایبەتمەندی {0} نەتوانرا زیاد بکرێت یان نوێ بکرێتەوە. تکایە لیستی هەڵەکان بپشکنە.",
    "definition_flags"                 => "توانای بینراویی تایبەتمەندی",
    "definition_group"                 => "گروپ",
--- a/app/Language/ckb/Employees.php
+++ b/app/Language/ckb/Employees.php
@@ -14,6 +14,8 @@ return [
    'current_password_invalid' => "وشەی نهێنی ئێستا نادروستە.",
    'employee' => "فەرمانبەر",
    'error_adding_updating' => "زیادکردن یان نوێکردنەوەی کارمەند سەرکەوتوو نەبوو.",
+    'error_deleting_admin' => "",
+    'error_updating_admin' => "",
    'error_deleting_demo_admin' => "ناتوانیت بەکارهێنەری ئەدمینی تاقیکردنەوەیی بسڕیتەوە.",
    'error_updating_demo_admin' => "ناتوانیت بەکارهێنەری ئەدمین تاقیکردنەوەیی بگۆڕیت.",
    'language' => "زمان",
--- a/app/Language/ckb/Items.php
+++ b/app/Language/ckb/Items.php
@@ -26,6 +26,7 @@ return [
    'cost_price_required' => "نرخی جوملە خانەیەکی پێویستە.",
    'count' => "جەرد نوێ بکەوە",
    'csv_import_failed' => "هاوردەکردنی CSV سەرکەوتوو نەبوو",
+    'csv_import_invalid_location' => "",
    'csv_import_nodata_wrongformat' => "پەڕگەی CSV بارکراو هیچ داتایەکی نییە یان بە هەڵە فۆرمات کراوە.",
    'csv_import_partially_failed' => "{0} شکستی هاوردەکردنی بابەتی لەسەر هێڵەکان هەبوو: {1}. هیچ ڕیزێک هاوردە نەکرا.",
    'csv_import_success' => "بابەتی هاوردەکردنی CSV سەرکەوتوو بوو.",
--- a/app/Language/ckb/Receivings.php
+++ b/app/Language/ckb/Receivings.php
@@ -43,7 +43,7 @@ return [
    'start_typing_supplier_name' => "دەست بکە بە نووسینی ناوی دابینکەر...",
    'stock' => "کۆگا",
    'stock_destination' => "شوێنی مەبەستی کۆگا",
-    'stock_locaiton' => "شوێنی کۆگا",
+    'stock_location' => "شوێنی کۆگا",
    'stock_source' => "سەرچاوەی کۆگا",
    'successfully_deleted' => "بەسەرکەوتوویی سڕیتەوە",
    'successfully_updated' => "وەرگرتن بە سەرکەوتوویی نوێ کراوەتەوە",
--- a/app/Language/cs/Attributes.php
+++ b/app/Language/cs/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "",
    "confirm_restore"                  => "",
    "definition_cannot_be_deleted"     => "",
+    "definition_invalid_group" => "",
    "definition_error_adding_updating" => "",
    "definition_flags"                 => "",
    "definition_group"                 => "",
--- a/app/Language/cs/Employees.php
+++ b/app/Language/cs/Employees.php
@@ -14,6 +14,8 @@ return [
    "current_password_invalid"     => "",
    "employee"                     => "",
    "error_adding_updating"        => "",
+    "error_deleting_admin"         => "",
+    "error_updating_admin"         => "",
    "error_deleting_demo_admin"    => "",
    "error_updating_demo_admin"    => "",
    "language"                     => "",
--- a/app/Language/cs/Items.php
+++ b/app/Language/cs/Items.php
@@ -26,6 +26,7 @@ return [
    "cost_price_required"                => "Musíte zadat nákupní cenu.",
    "count"                              => "Upravit množství",
    "csv_import_failed"                  => "Import z CSVu se nepovedl",
+    "csv_import_invalid_location"        => "",
    "csv_import_nodata_wrongformat"      => "Nahraný soubor neobsahuje žádná data nebo má špatný formát.",
    "csv_import_partially_failed"        => "Při importu položek došlo k několika chybám:",
    "csv_import_success"                 => "Import položek proběhl bez chyby.",
--- a/app/Language/cs/Receivings.php
+++ b/app/Language/cs/Receivings.php
@@ -43,7 +43,7 @@ return [
    "start_typing_supplier_name"   => "Začněte psát jméno dodavatele...",
    "stock"                        => "Sklad",
    "stock_destination"            => "Cílový sklad",
-    "stock_locaiton"               => "Umístění skladu",
+    "stock_location"               => "Umístění skladu",
    "stock_source"                 => "",
    "successfully_deleted"         => "Smazáno",
    "successfully_updated"         => "Upraveno",
--- a/app/Language/da/Attributes.php
+++ b/app/Language/da/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "Er du sikker på, at du vil slette de valgte egenskaber?",
    "confirm_restore"                  => "Er du sikker på, at du vil gendanne de valgte egenskaber?",
    "definition_cannot_be_deleted"     => "De valgte egenskaber kunne ikke slettes",
+    "definition_invalid_group" => "Den valgte gruppe findes ikke eller er ugyldig.",
    "definition_error_adding_updating" => "Egenskab {0} Kunne ikke tilføjes eller opdateres. Tjek venligst fejlprotokollen.",
    "definition_flags"                 => "Egenskabens Synlighed",
    "definition_group"                 => "Gruppe",
--- a/app/Language/da/Employees.php
+++ b/app/Language/da/Employees.php
@@ -14,6 +14,8 @@ return [
    "current_password_invalid"     => "Current Password is invalid.",
    "employee"                     => "Employee",
    "error_adding_updating"        => "Employee add or update failed.",
+    "error_deleting_admin"         => "",
+    "error_updating_admin"         => "",
    "error_deleting_demo_admin"    => "You can not delete the demo admin user.",
    "error_updating_demo_admin"    => "You can not change the demo admin user.",
    "language"                     => "Language",
--- a/app/Language/da/Items.php
+++ b/app/Language/da/Items.php
@@ -26,6 +26,7 @@ return [
    "cost_price_required"                => "",
    "count"                              => "",
    "csv_import_failed"                  => "",
+    "csv_import_invalid_location"        => "",
    "csv_import_nodata_wrongformat"      => "",
    "csv_import_partially_failed"        => "",
    "csv_import_success"                 => "",
--- a/app/Language/da/Receivings.php
+++ b/app/Language/da/Receivings.php
@@ -43,7 +43,7 @@ return [
    "start_typing_supplier_name"   => "",
    "stock"                        => "",
    "stock_destination"            => "",
-    "stock_locaiton"               => "",
+    "stock_location"               => "",
    "stock_source"                 => "",
    "successfully_deleted"         => "",
    "successfully_updated"         => "",
--- a/app/Language/de-CH/Attributes.php
+++ b/app/Language/de-CH/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "",
    "confirm_restore"                  => "",
    "definition_cannot_be_deleted"     => "",
+    "definition_invalid_group" => "Die ausgewählte Gruppe existiert nicht oder ist ungültig.",
    "definition_error_adding_updating" => "",
    "definition_flags"                 => "",
    "definition_group"                 => "",
--- a/app/Language/de-CH/Employees.php
+++ b/app/Language/de-CH/Employees.php
@@ -14,6 +14,8 @@ return [
    "current_password_invalid"     => "",
    "employee"                     => "Mitarbeiter",
    "error_adding_updating"        => "Fehler beim Hinzufügen/Ändern",
+    "error_deleting_admin"         => "",
+    "error_updating_admin"         => "",
    "error_deleting_demo_admin"    => "Sie können den Admin nicht löschen",
    "error_updating_demo_admin"    => "Sie können den Admin nicht ändern",
    "language"                     => "",
--- a/app/Language/de-CH/Items.php
+++ b/app/Language/de-CH/Items.php
@@ -26,6 +26,7 @@ return [
    "cost_price_required"                => "Einstandspreis ist erforderlich",
    "count"                              => "Ändere Bestand",
    "csv_import_failed"                  => "CSV Import fehlerhaft",
+    "csv_import_invalid_location"        => "",
    "csv_import_nodata_wrongformat"      => "Your uploaded file has no data or wrong format",
    "csv_import_partially_failed"        => "Most Items imported. But some were not, here is the list",
    "csv_import_success"                 => "Import of Items successful",
--- a/app/Language/de-CH/Receivings.php
+++ b/app/Language/de-CH/Receivings.php
@@ -43,7 +43,7 @@ return [
    "start_typing_supplier_name"   => "Lieferantenname eingeben",
    "stock"                        => "",
    "stock_destination"            => "Lagerort (Ziel)",
-    "stock_locaiton"               => "Lagerort",
+    "stock_location"               => "Lagerort",
    "stock_source"                 => "Lagerort (Quelle)",
    "successfully_deleted"         => "Löschung erfolgreich",
    "successfully_updated"         => "Änderung erfolgreich",
--- a/app/Language/de-DE/Attributes.php
+++ b/app/Language/de-DE/Attributes.php
@@ -5,6 +5,7 @@ return [
    "confirm_delete"                   => "Sind Sie sicher, dass Sie die ausgewählten Attribute löschen möchten?",
    "confirm_restore"                  => "Sind Sie sicher, dass Sie die ausgewählten Attribute wiederherstellen möchten?",
    "definition_cannot_be_deleted"     => "Ausgewählte Attribute konnten nicht gelöscht werden",
+    "definition_invalid_group" => "Die ausgewählte Gruppe existiert nicht oder ist ungültig.",
    "definition_error_adding_updating" => "Das Attribut {0} konnte nicht hinzugefügt oder aktualisiert werden. Bitte überprüfen Sie den Error-Log.",
    "definition_flags"                 => "Attribut Sichtbarkeit",
    "definition_group"                 => "Gruppe",
--- a/app/Language/de-DE/Calendar.php
+++ b/app/Language/de-DE/Calendar.php
@@ -0,0 +1,49 @@
+<?php
+
+return [
+    "su"        => "So",
+    "mo"        => "Mo",
+    "tu"        => "Di",
+    "we"        => "Mi",
+    "th"        => "Do",
+    "fr"        => "Fr",
+    "sa"        => "Sa",
+    "sun"       => "Son",
+    "mon"       => "Mon",
+    "tue"       => "Die",
+    "wed"       => "Mit",
+    "thu"       => "Don",
+    "fri"       => "Fre",
+    "sat"       => "Sam",
+    "sunday"    => "Sonntag",
+    "monday"    => "Montag",
+    "tuesday"   => "Dienstag",
+    "wednesday" => "Mittwoch",
+    "thursday"  => "Donnerstag",
+    "friday"    => "Freitag",
+    "saturday"  => "Samstag",
+    "jan"       => "Jan",
+    "feb"       => "Feb",
+    "mar"       => "Mär",
+    "apr"       => "Apr",
+    "may"       => "Mai",
+    "jun"       => "Jun",
+    "jul"       => "Jul",
+    "aug"       => "Aug",
+    "sep"       => "Sep",
+    "oct"       => "Okt",
+    "nov"       => "Nov",
+    "dec"       => "Dez",
+    "january"   => "Januar",
+    "february"  => "Februar",
+    "march"     => "März",
+    "april"     => "April",
+    "mayl"      => "Mai",
+    "june"      => "Juni",
+    "july"      => "Juli",
+    "august"    => "August",
+    "september" => "September",
+    "october"   => "Oktober",
+    "november"  => "November",
+    "december"  => "Dezember",
+];
--- a/app/Language/de-DE/Common.php
+++ b/app/Language/de-DE/Common.php
@@ -3,18 +3,18 @@
 return [
    "address_1"                      => "Adresse 1",
    "address_2"                      => "Adresse 2",
-    "admin"                          => "",
+    "admin"                          => "Administrator",
    "city"                           => "Stadt",
-    "clerk"                          => "",
+    "clerk"                          => "Angestellter",
    "close"                          => "Schließen",
-    "color"                          => "",
+    "color"                          => "Theme-Farben",
    "comments"                       => "Kommentare",
    "common"                         => "Allgemein",
    "confirm_search"                 => "Sie haben eine oder mehrere Zeilen gewählt. Nach der Verarbeitung werden diese nicht mehr ausgewählt sein. Wollen Sie die Suche dennoch verarbeiten?",
    "copyrights"                     => "© 2010 - {0}",
    "correct_errors"                 => "Bitte korrigieren Sie vor dem Speichern die angezeigten Fehler",
    "country"                        => "Land",
-    "dashboard"                      => "",
+    "dashboard"                      => "Dashboard",
    "date"                           => "Datum",
    "delete"                         => "Löschen",
    "det"                            => "Details",
@@ -26,15 +26,15 @@ return [
    "export_csv_no"                  => "Nein",
    "export_csv_yes"                 => "Ja",
    "fields_required_message"        => "Die Felder in rot sind erforderlich",
-    "fields_required_message_unique" => "",
+    "fields_required_message_unique" => "Die rot markierten Felder sind erforderlich und müssen eindeutig sein",
    "first_name"                     => "Vorname",
    "first_name_required"            => "Vorname ist erforderlich.",
    "first_page"                     => "Erste",
    "gender"                         => "Geschlecht",
    "gender_female"                  => "W",
    "gender_male"                    => "M",
-    "gender_undefined"               => "",
-    "icon"                           => "",
+    "gender_undefined"               => "Undefiniert",
+    "icon"                           => "Symbol",
    "id"                             => "ID",
    "import"                         => "Import",
    "import_change_file"             => "Ändern",
@@ -48,21 +48,21 @@ return [
    "last_page"                      => "Letzte",
    "learn_about_project"            => "für neueste Nachrichten zum Projekt.",
    "list_of"                        => "Liste von",
-    "logo"                           => "",
-    "logo_mark"                      => "",
+    "logo"                           => "Logo",
+    "logo_mark"                      => "Marke",
    "logout"                         => "Ausloggen",
-    "manager"                        => "",
+    "manager"                        => "Manager",
    "migration_needed"               => "Eine Datenbankmigration auf {0} wird nach der Anmeldung gestartet.",
    "new"                            => "Neu",
-    "no"                             => "",
+    "no"                             => "Nein",
    "no_persons_to_display"          => "Keine Personen zum Anzeigen.",
    "none_selected_text"             => "[auswählen]",
    "or"                             => "Oder",
-    "people"                         => "",
+    "people"                         => "Personen",
    "phone_number"                   => "Telefon",
    "phone_number_required"          => "Telefon ist erforderlich",
    "please_visit_my"                => "Bitte beuschen Sie",
-    "position"                       => "",
+    "position"                       => "Position",
    "powered_by"                     => "Unterstützt von",
    "price"                          => "Preis",
    "print"                          => "Drucken",
@@ -73,8 +73,8 @@ return [
    "search"                         => "Suche",
    "search_options"                 => "Suchkriterien",
    "searched_for"                   => "Gescuht nach",
-    "software_short"                 => "",
-    "software_title"                 => "",
+    "software_short"                 => "OSPOS",
+    "software_title"                 => "Open Source Point of Sale",
    "state"                          => "BL/Kanton",
    "submit"                         => "Senden",
    "total_spent"                    => "Gesamtausgaben",
@@ -83,7 +83,7 @@ return [
    "website"                        => "Website",
    "welcome"                        => "Willkommen",
    "welcome_message"                => "Willkommen bei OSPOS, zum Beginnen auf ein Modul klicken.",
-    "yes"                            => "",
+    "yes"                            => "Ja",
    "you_are_using_ospos"            => "Sie verwenden Open Source Point Of Sale Version",
    "zip"                            => "PLZ",
 ];
--- a/app/Language/de-DE/Employees.php
+++ b/app/Language/de-DE/Employees.php
@@ -1,24 +1,26 @@
 <?php

 return [
-    "administrator"                => "",
+    "administrator"                => "Administrator",
    "basic_information"            => "Mitarbeiter-Information",
    "cannot_be_deleted"            => "Konnte gewählten Mitarbeiter nicht löschen, einer oder mehrere weisen Verkäufe aus.",
-    "change_employee"              => "",
+    "change_employee"              => "Mitarbeiter ändern",
    "change_password"              => "Passwort Ändern",
-    "clerk"                        => "",
-    "commission"                   => "",
+    "clerk"                        => "Angestellter",
+    "commission"                   => "Provision",
    "confirm_delete"               => "Wollen Sie diesen Mitarbeiter wirklich löschen?",
    "confirm_restore"              => "Möchten Sie die ausgewählten Mitarbeiter wiederherstellen?",
    "current_password"             => "Aktuelles Passwort",
    "current_password_invalid"     => "Aktuelles Passwort ist ungültig.",
    "employee"                     => "Mitarbeiter",
    "error_adding_updating"        => "Fehler beim Hinzufügen/Ändern.",
+    "error_deleting_admin"         => "Sie können keinen Administrator löschen.",
+    "error_updating_admin"         => "Sie können keinen Administrator ändern.",
    "error_deleting_demo_admin"    => "Sie können den Demo-Administrator nicht löschen.",
    "error_updating_demo_admin"    => "Sie können den Demo-Administrator nicht verändern.",
    "language"                     => "Sprache",
    "login_info"                   => "Mitarbeiter Login",
-    "manager"                      => "",
+    "manager"                      => "Manager",
    "new"                          => "Neuer Mitarbeiter",
    "none_selected"                => "Sie haben keine Mitarbeiter zum Löschen gewählt.",
    "one_or_multiple"              => "Mitarbeiter",
--- a/Show More
+++ b/Show More