diff --git a/x2engine/protected/components/X2WebApplication.php b/x2engine/protected/components/X2WebApplication.php
index 736a71ef3..348539d1e 100644
--- a/x2engine/protected/components/X2WebApplication.php
+++ b/x2engine/protected/components/X2WebApplication.php
@@ -44,6 +44,24 @@
  */
 class X2WebApplication extends CWebApplication {
 
+	/**
+ 	 * Processes the current request.
+ 	 * It first resolves the request into controller and action,
+ 	 * and then creates the controller to perform the action.
+ 	 */
+ 	public function processRequest()
+ 	{
+ 		if(is_array($this->catchAllRequest) && isset($this->catchAllRequest[0]))
+ 		{
+ 			$route=$this->catchAllRequest[0];
+ 			foreach(array_splice($this->catchAllRequest,1) as $name=>$value)
+ 				$_GET[$name]=$value;
+ 		}
+ 		else
+ 			$route=$this->getUrlManager()->parseUrl($this->getRequest());
+ 		$this->runController(Fields::getPurifier()->purify($route));
+ 	}
+
 	/**
 	 * Checks whether the named component has been created.
 	 * @param string $id application component ID
diff --git a/x2engine/protected/components/sortableWidget/recordViewWidgets/ActionHistoryChartWidget.php b/x2engine/protected/components/sortableWidget/recordViewWidgets/ActionHistoryChartWidget.php
index 3137d398d..e0859f0e2 100644
--- a/x2engine/protected/components/sortableWidget/recordViewWidgets/ActionHistoryChartWidget.php
+++ b/x2engine/protected/components/sortableWidget/recordViewWidgets/ActionHistoryChartWidget.php
@@ -83,7 +83,9 @@ public static function getChartData (
 		//printR (('startdate, enddate = '.$startTimestamp.', '.$endTimestamp), true);
 
 		$associationType = strtolower ($associationType);
-
+                if (is_bool($showRelationships) !== true || !is_numeric($associationId)) {
+                     throw new CHttpException(403, Yii::t('admin', 'Incorrect parameters.'));
+                 }
 		$associationCondition = self::getAssociationCond (
 			$associationId, $associationType, $showRelationships);
 
diff --git a/x2engine/protected/controllers/AdminController.php b/x2engine/protected/controllers/AdminController.php
index 766677ba9..04ca0a805 100644
--- a/x2engine/protected/controllers/AdminController.php
+++ b/x2engine/protected/controllers/AdminController.php
@@ -5501,7 +5501,11 @@ public function actionFinishGlobalExport() {
      * @param string $file Filepath of the requested file
      */
     public function actionDownloadData($file) {
-        $this->sendFile($file);
+        if (Yii::app()->params->isAdmin) {
+             $this->sendFile($file);
+         } else {
+             throw new CHttpException(403, Yii::t('admin', 'Insufficient permissions.'));
+         }
     }
 
     /**
diff --git a/x2engine/protected/controllers/ProfileController.php b/x2engine/protected/controllers/ProfileController.php
index f34e16037..72c723d3f 100644
--- a/x2engine/protected/controllers/ProfileController.php
+++ b/x2engine/protected/controllers/ProfileController.php
@@ -348,11 +348,11 @@ public function actionAjaxExportTheme($themeId) {
             $file = $themeName.'.json';
             $filePath = $this->safePath($file);
             file_put_contents($filePath, $encodedTheme);
-            echo CJSON::encode(array(
-                'downloadUrl' => $this->createUrl('/admin/downloadData', array(
-                    'file' => $file
-                ))
-            ));
+            if (Yii::app()->params->isAdmin) {
+                $this->sendFile($file);
+            } else {
+                throw new CHttpException(403, Yii::t('admin', 'Insufficient permissions.'));
+            }
         } else {
             throw new CHttpException(
             404, Yii::t('app', 'Theme does not exist or you do not have permissions to view it.'));