From ccacc0813aea97f35e4337d1e895f2ba9c4111db Mon Sep 17 00:00:00 2001
From: dheeyi william <dheeyi@gmail.com>
Date: Thu, 6 Jan 2022 15:06:24 -0400
Subject: [PATCH] Users are able to access the plugins tab in ADMIN even if
 they dont have the permission "PM_SETUP_PLUGINS" in their role

---
 workflow/engine/menus/setup.php | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/workflow/engine/menus/setup.php b/workflow/engine/menus/setup.php
index 7aca46ec4..3c8d4a5b3 100755
--- a/workflow/engine/menus/setup.php
+++ b/workflow/engine/menus/setup.php
@@ -385,14 +385,19 @@ if ($licenseStatusInfo["message"] != "") {
 /*----------------------------------********---------------------------------*/
 if ($RBAC->userCanAccess('PM_SETUP') == 1) {
     /*----------------------------------********---------------------------------*/
-    $G_TMP_MENU->AddIdRawOption(
-        'PMENTERPRISE',
-        '../enterprise/addonsStore',
-        G::LoadTranslation('ID_MENU_NAME') . $licStatusMsg,
-        '',
-        '',
-        'plugins'
-    );
+    if (
+        $RBAC->userCanAccess('PM_SETUP_PLUGINS') === 1 &&
+        $RBAC->userCanAccess('PM_SETUP_ADVANCE') === 1
+    ) {
+        $G_TMP_MENU->AddIdRawOption(
+            'PMENTERPRISE',
+            '../enterprise/addonsStore',
+            G::LoadTranslation('ID_MENU_NAME') . $licStatusMsg,
+            '',
+            '',
+            'plugins'
+        );
+    }
     if ($RBAC->userCanAccess('PM_SETUP_CUSTOM_CASES_LIST') == 1) {
         $G_TMP_MENU->AddIdRawOption(
             'CASES_LIST_SETUP',