From 04a8b6561af03b1a27f7006fdfa8d71e7ae45ae7 Mon Sep 17 00:00:00 2001
From: Ronald Quenta <ronald.otn@gmail.com>
Date: Mon, 7 Aug 2017 16:33:49 -0400
Subject: [PATCH] HOR-3467

---
 gulliver/system/class.rbac.php                     | 11 ++++++++++-
 .../processCategory/processCategoryList.php        |  7 +++++--
 .../processCategory/processCategory_Ajax.php       | 14 ++++++++++++++
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php
index c4749221e..3d6f99282 100644
--- a/gulliver/system/class.rbac.php
+++ b/gulliver/system/class.rbac.php
@@ -147,8 +147,17 @@ class RBAC
             ),
             'newSite.php' => array(
                 'newSite.php' => array('PM_SETUP_ADVANCE')
+            ),
+            'processCategory_Ajax.php' => array(
+                'processCategoryList' => array('PM_SETUP', 'PM_SETUP_ADVANCE'),
+                'updatePageSize' => array('PM_SETUP', 'PM_SETUP_ADVANCE'),
+                'checkCategoryName' => array('PM_SETUP', 'PM_SETUP_ADVANCE'),
+                'saveNewCategory' => array('PM_SETUP', 'PM_SETUP_ADVANCE'),
+                'checkEditCategoryName' => array('PM_SETUP', 'PM_SETUP_ADVANCE'),
+                'updateCategory' => array('PM_SETUP', 'PM_SETUP_ADVANCE'),
+                'canDeleteCategory' => array('PM_SETUP', 'PM_SETUP_ADVANCE'),
+                'deleteCategory' => array('PM_SETUP', 'PM_SETUP_ADVANCE')
             )
-
         );
     }
 
diff --git a/workflow/engine/methods/processCategory/processCategoryList.php b/workflow/engine/methods/processCategory/processCategoryList.php
index 3c819b354..148286a39 100644
--- a/workflow/engine/methods/processCategory/processCategoryList.php
+++ b/workflow/engine/methods/processCategory/processCategoryList.php
@@ -21,9 +21,12 @@
  * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
+use ProcessMaker\Exception\RBACException;
+
+/** @var RBAC $RBAC */
+global $RBAC;
 if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_SETUP_ADVANCE' ) != 1) {
-    G::SendTemporalMessage( 'krlos', 'error', 'labels' );
-    die();
+    throw new RBACException('ID_USER_HAVENT_RIGHTS_PAGE', -1);
 }
 
 $c = new Configurations();
diff --git a/workflow/engine/methods/processCategory/processCategory_Ajax.php b/workflow/engine/methods/processCategory/processCategory_Ajax.php
index 74d529ede..d1c1d73f2 100644
--- a/workflow/engine/methods/processCategory/processCategory_Ajax.php
+++ b/workflow/engine/methods/processCategory/processCategory_Ajax.php
@@ -22,6 +22,20 @@
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
 
+use ProcessMaker\Exception\RBACException;
+
+/** @var RBAC $RBAC */
+global $RBAC;
+switch ($RBAC->userCanAccess('PM_LOGIN')) {
+    case -2:
+        throw new RBACException('ID_USER_HAVENT_RIGHTS_SYSTEM', -2);
+        break;
+    case -1:
+        throw new RBACException('ID_USER_HAVENT_RIGHTS_PAGE', -1);
+        break;
+}
+$RBAC->allows(basename(__FILE__), $_REQUEST['action']);
+
 if (isset( $_REQUEST['action'] )) {
     switch ($_REQUEST['action']) {
         case 'processCategoryList':