# Boss Grade Access Boss Grade Access — moh-billing The **Management tab** is restricted to high-ranking members of each society. Access is determined by the player's current job grade — the same grade integer used by QBCore and ESX job systems. ### How it works When a player opens `/billing`, the script checks two things: 1. Is their job in `Config.AllowedSocieties`? (required for Create tab) 2. Is their job grade >= the minimum boss grade for that job? (required for Management tab) Both conditions must be true for the Management tab to appear. The check happens on the **server** as well, so the tab cannot be accessed by spoofing NUI messages. ### Grade sources by framework | Framework | Field used | Typical range | | --------- | ---------------------------- | ----------------------------------------------------- | | QBCore | `PlayerData.job.grade.level` | 0 (recruit) → 3 or 4 (boss/chief) | | ESX | `job.grade` | 0 (lowest) → highest defined in `job_grades` DB table | ### Configuring minimum grades Set a global fallback and then per-job overrides in `config.lua`: ``` Config.DefaultBossGrade = 3 -- used for any job not listed in BossGrades Config.BossGrades = { police = 3, -- grade 3+ opens Management ambulance = 3, swat = 2, -- grade 2+ opens Management (smaller hierarchy) mechanic = 2, } ``` > **Tip:** To check what grade numbers your jobs use, open your QBCore `qb-core/shared/jobs.lua` or query your ESX database: `SELECT * FROM job_grades WHERE job_name = 'police';` ### Three-layer protection Boss access is enforced at three independent layers so it cannot be bypassed: | Layer | Location | What it does | | ---------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | 1 — UI | `web/ui.html` | The Management tab is never rendered in the DOM if `isBoss` is false. The player cannot see or click it. | | 2 — Client | `client.lua` | The `isBoss` flag sent to the NUI is computed from the server callback result, not client-side player data alone. | | 3 — Server | `server.lua` | Every `Withdraw` and `Deposit` server event re-checks `player.isBoss` before processing. A spoofed NUI call will be rejected here. | ### What happens when access is denied If a player somehow triggers a Withdraw or Deposit event without the correct grade: * The server rejects the event and sends an error notification to the player. * A **Discord webhook log** is sent with the player's name, job, and grade so you can investigate. * No money is moved. Webhook embed example: ``` 🚫 Unauthorized Withdraw Attempt Player: John Smith Job: police Grade: 1 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mohssins.gitbook.io/mohscriptsdocs/moh-billing/boss-grade-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.