From 05b4e999bb21f1385e52e992ba6f599fc0ba3a82 Mon Sep 17 00:00:00 2001
From: Julio Cesar Laura <juliocesar@colosa.com>
Date: Wed, 7 May 2014 16:49:51 -0400
Subject: [PATCH] BUG 13436 ProcessMaker 2.x Authenticated PHP Code Execution
 IMPROVEMENT

---
 workflow/engine/methods/setup/skin_Ajax.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/workflow/engine/methods/setup/skin_Ajax.php b/workflow/engine/methods/setup/skin_Ajax.php
index 7978c89b7..e00bc76be 100755
--- a/workflow/engine/methods/setup/skin_Ajax.php
+++ b/workflow/engine/methods/setup/skin_Ajax.php
@@ -6,7 +6,7 @@ if (! isset( $_REQUEST['action'] )) {
     print G::json_encode( $res );
     die();
 }
-if (! function_exists( $_REQUEST['action'] )) {
+if (! function_exists( $_REQUEST['action'] ) || !G::isUserFunction($_REQUEST['action'])) {
     $res['success'] = false;
     $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION_NOT_EXIST');