diff --git a/workflow/engine/methods/processes/processes_DownloadFile.php b/workflow/engine/methods/processes/processes_DownloadFile.php
index 7cd355876..f973b50e9 100644
--- a/workflow/engine/methods/processes/processes_DownloadFile.php
+++ b/workflow/engine/methods/processes/processes_DownloadFile.php
@@ -1,26 +1,5 @@
 <?php
-/**
- * processes_DownloadFile.php
- *
- * ProcessMaker Open Source Edition
- * Copyright (C) 2004 - 2008 Colosa Inc.23
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as
- * published by the Free Software Foundation, either version 3 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- *
- * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
- * Coral Gables, FL, 33134, USA, or email info@colosa.com.
- */
+//$RBAC->allows(basename(__FILE__), 'downloadFileHash');
 
 if (!isset($_GET["file_hash"])) {
     throw new Exception("Invalid Request, param 'file_hash' was not sent.");
@@ -28,26 +7,16 @@ if (!isset($_GET["file_hash"])) {
 
 $httpStream = new \ProcessMaker\Util\IO\HttpStream();
 $outputDir = PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "files" . PATH_SEP . "output" . PATH_SEP;
-$filename = urldecode(base64_decode($_GET["file_hash"]));
-$fileExtension = pathinfo($outputDir . $filename, PATHINFO_EXTENSION);
+$fileName = urldecode(base64_decode($_GET["file_hash"]));
+$processFile = $outputDir . $fileName;
 
-if (!file_exists($outputDir . $filename)) {
-    throw new Exception("Error, couldn't find request file: $filename");
+//Verify if the file related to process exist in the corresponding path
+$fileInformation = pathinfo($processFile);
+$processFile = $outputDir . $fileInformation['basename'];
+if (!file_exists($processFile)) {
+    throw new Exception("Error, couldn't find request file: $fileName");
 }
-
-$httpStream->loadFromFile($outputDir . $filename);
+$fileExtension = $fileInformation['extension'];
+$httpStream->loadFromFile($processFile);
 $httpStream->setHeader("Content-Type", "application/$fileExtension");
 $httpStream->send();
-
-//  ************* DEPRECATED (it will be removed soon) *********************************
-//add more security, and catch any error or exception
-//$sFileName = $_GET['p'] . '.pm';
-//$file = PATH_DOCUMENT . 'output' . PATH_SEP . $sFileName . 'tpm';
-//$filex = PATH_DOCUMENT . 'output' . PATH_SEP . $sFileName;
-//
-//if (file_exists( $file )) {
-//    rename( $file, $filex );
-//}
-//
-//$realPath = PATH_DOCUMENT . 'output' . PATH_SEP . $sFileName;
-//G::streamFile( $realPath, true );
diff --git a/workflow/engine/methods/setup/skin_Ajax.php b/workflow/engine/methods/setup/skin_Ajax.php
index 2f3fe89a8..fef91eeaf 100644
--- a/workflow/engine/methods/setup/skin_Ajax.php
+++ b/workflow/engine/methods/setup/skin_Ajax.php
@@ -1,8 +1,4 @@
 <?php
-G::LoadSystem('inputfilter');
-$filter = new InputFilter();
-$_REQUEST = $filter->xssFilterHard($_REQUEST);
-
 if (! isset( $_REQUEST['action'] )) {
     $res['success'] = false;
     $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION');
@@ -17,8 +13,7 @@ if (! function_exists( $_REQUEST['action'] ) || !G::isUserFunction($_REQUEST['ac
     print G::json_encode( $res );
     die();
 }
-$restrictedFunctions = array ('copy_skin_folder','addTarFolder'
-);
+$restrictedFunctions = array ('copy_skin_folder','addTarFolder');
 if (in_array( $_REQUEST['action'], $restrictedFunctions )) {
     $res['success'] = false;
     $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION_NOT_EXIST');
@@ -26,9 +21,9 @@ if (in_array( $_REQUEST['action'], $restrictedFunctions )) {
     die();
 }
 
-$functionName = $_REQUEST['action'];
+$functionName = $_REQUEST['action'];error_log($functionName);
 $functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array ();
-
+//$RBAC->allows(basename(__FILE__), $functionName);
 $functionName();
 
 function updatePageSize ()
@@ -166,7 +161,7 @@ function newSkin ($baseSkin = 'classic')
         $configFileFinal = PATH_CUSTOM_SKINS . $skinFolder . PATH_SEP . 'config.xml';
 
         $xmlConfiguration = file_get_contents( $configFileOriginal );
-        
+
         $workspace = ($_REQUEST['workspace'] == 'global') ? '' : SYS_SYS;
 
         $xmlConfigurationObj = G::xmlParser($xmlConfiguration);
@@ -356,9 +351,9 @@ function exportSkin ($skinToExport = "")
         $response['success'] = true;
         $response['message'] = $skinTar;
         G::auditLog("ExportSkin", "Skin Name: ".$skinName);
-        
+
         $response = $filter->xssFilterHard($response);
-        
+
         print_r( G::json_encode( $response ) );
     } catch (Exception $e) {
         $response['success'] = false;
@@ -374,7 +369,7 @@ function deleteSkin ()
     $filter = new InputFilter();
     try {
         $_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']);
-    
+
         if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) {
             throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) ));
         }
@@ -400,9 +395,9 @@ function deleteSkin ()
 
 function streamSkin ()
 {
-    $skinTar = $_REQUEST['file'];
+    $skinTar = basename($_REQUEST['file']);
     $bDownload = true;
-    G::streamFile( $skinTar, $bDownload, basename( $skinTar ) );
+    G::streamFile(PATH_CUSTOM_SKINS . $skinTar, $bDownload, $skinTar);
     @unlink( $fileTar );
 }