Index: install/install_data.sql
===================================================================
--- install/install_data.sql	(revision 13311)
+++ install/install_data.sql	(working copy)
@@ -641,10 +641,11 @@
 INSERT INTO Permissions VALUES (DEFAULT, 'in-portal:configemail.view', 11, 1, 1, 0);
 INSERT INTO Permissions VALUES (DEFAULT, 'in-portal:configemail.edit', 11, 1, 1, 0);
 
-INSERT INTO Permissions VALUES (DEFAULT, 'CATEGORY.VIEW', 11, 1, 0, 0);
-INSERT INTO Permissions VALUES (DEFAULT, 'CATEGORY.ADD', 11, 1, 0, 0);
-INSERT INTO Permissions VALUES (DEFAULT, 'CATEGORY.DELETE', 11, 1, 0, 0);
-INSERT INTO Permissions VALUES (DEFAULT, 'CATEGORY.MODIFY', 11, 1, 0, 0);
+INSERT INTO Permissions VALUES(DEFAULT, 'CATEGORY.VIEW', 15, 1, 0, 1);
+INSERT INTO Permissions VALUES(DEFAULT, 'CATEGORY.ADD', 11, 1, 0, 1);
+INSERT INTO Permissions VALUES(DEFAULT, 'CATEGORY.ADD.PENDING', 13, 1, 0, 1);
+INSERT INTO Permissions VALUES(DEFAULT, 'CATEGORY.DELETE', 11, 1, 0, 1);
+INSERT INTO Permissions VALUES(DEFAULT, 'CATEGORY.MODIFY', 11, 1, 0, 1);
 
 INSERT INTO Permissions VALUES (DEFAULT, 'in-portal:service.view', 11, 1, 1, 0);
 INSERT INTO Permissions VALUES (DEFAULT, 'in-portal:service.edit', 11, 1, 1, 0);
Index: install/upgrades.php
===================================================================
--- install/upgrades.php	(revision 13311)
+++ install/upgrades.php	(working copy)
@@ -1318,4 +1318,91 @@
 				}
 			}
 		}
+
+		/**
+		 * Update to 5.0.3-B2; Moves CATEGORY.* permission from module root categories to Content category
+		 *
+		 * @param string $mode when called mode {before, after)
+		 */
+		function Upgrade_5_0_3_B2($mode)
+		{
+			if ($mode == 'before') {
+				// get permissions
+				$sql = 'SELECT PermissionName
+						FROM ' . TABLE_PREFIX . 'PermissionConfig
+						WHERE PermissionName LIKE "CATEGORY.%"';
+				$permission_names = $this->Conn->GetCol($sql);
+
+				// get groups
+				$sql = 'SELECT GroupId
+						FROM ' . TABLE_PREFIX . 'PortalGroup';
+				$user_groups = $this->Conn->GetCol($sql);
+				$user_group_count = count($user_groups);
+
+				// get module root categories
+				$sql = 'SELECT RootCat
+						FROM ' . TABLE_PREFIX . 'Modules';
+				$module_categories = $this->Conn->GetCol($sql);
+
+				$module_categories[] = 0;
+				$module_categories = implode(',', array_unique($module_categories));
+
+				$permissions = $delete_permission_ids = Array ();
+
+				foreach ($permission_names as $permission_name) {
+					foreach ($user_groups as $group_id) {
+						$sql = 'SELECT PermissionId
+								FROM ' . TABLE_PREFIX . 'Permissions
+								WHERE (Permission = ' . $this->Conn->qstr($permission_name) . ') AND (PermissionValue = 1) AND (GroupId = ' . $group_id . ') AND (`Type` = 0) AND (CatId IN (' . $module_categories . '))';
+						$permission_ids = $this->Conn->GetCol($sql);
+
+						if ($permission_ids) {
+							if (!array_key_exists($permission_name, $permissions)) {
+								$permissions[$permission_name] = Array ();
+							}
+
+							$permissions[$permission_name][] = $group_id;
+							$delete_permission_ids = array_merge($delete_permission_ids, $permission_ids);
+						}
+					}
+				}
+
+				if ($delete_permission_ids) {
+					// here we can delete some of permissions that will be added later
+					$sql = 'DELETE FROM ' . TABLE_PREFIX . 'Permissions
+							WHERE PermissionId IN (' . implode(',', $delete_permission_ids) . ')';
+					$this->Conn->Query($sql);
+				}
+
+				$home_category = $this->Application->findModule('Name', 'Core', 'RootCat');
+
+				foreach ($permissions as $permission_name => $permission_groups) {
+					// optimize a bit
+					$has_everyone = in_array(15, $permission_groups);
+
+					if ($has_everyone || (!$has_everyone && count($permission_groups) == $user_group_count - 1)) {
+						// has permission for "Everyone" group OR allowed in all groups except "Everyone" group
+						// so remove all other explicitly allowed permissions
+						$permission_groups = Array (15);
+					}
+
+					foreach ($permission_groups as $group_id) {
+						$fields_hash = Array (
+							'Permission' => $permission_name,
+							'GroupId' => $group_id,
+							'PermissionValue' => 1,
+							'Type' => 0, // category-based permission,
+							'CatId' => $home_category,
+						);
+
+						$this->Conn->doInsert($fields_hash, TABLE_PREFIX . 'Permissions');
+					}
+				}
+
+				$updater =& $this->Application->recallObject('kPermCacheUpdater');
+				/* @var $updater kPermCacheUpdater */
+
+				$updater->OneStepRun();
+			}
+		}
 	}
\ No newline at end of file
Index: install/upgrades.sql
===================================================================
--- install/upgrades.sql	(revision 13311)
+++ install/upgrades.sql	(working copy)
@@ -1630,4 +1630,6 @@
 
 UPDATE Phrase
 SET Module = 'Core'
-WHERE Phrase IN ('la_fld_Image', 'la_fld_Qty');
\ No newline at end of file
+WHERE Phrase IN ('la_fld_Image', 'la_fld_Qty');
+
+# ===== v 5.0.3-B2 =====
\ No newline at end of file
Index: units/categories/categories_event_handler.php
===================================================================
--- units/categories/categories_event_handler.php	(revision 13311)
+++ units/categories/categories_event_handler.php	(working copy)
@@ -783,12 +783,12 @@
 			}
 
 			$object =& $event->getObject();
-			/* @var $object kDBItem */
+			/* @var $object CategoriesItem */
 
-			if ($object->IsRoot()) {
+			/*if ($object->IsRoot()) {
 				$event->setEventParam('master_ids', Array(0));
 				$this->RemoveRequiredFields($object);
-			}
+			}*/
 
 			parent::OnSave($event);
 
Index: units/permissions/permissions_tag_processor.php
===================================================================
--- units/permissions/permissions_tag_processor.php	(revision 13311)
+++ units/permissions/permissions_tag_processor.php	(working copy)
@@ -81,6 +81,7 @@
 		function PrintPermissions($params)
 		{
 			$category =& $this->Application->recallObject('c');
+			/* @var $category kDBItem */
 
 			$group_id = $this->Application->GetVar('group_id');
 			$prefix = $this->Application->GetVar('item_prefix');
@@ -103,20 +104,20 @@
 			$this_cat = array_pop($categories);
 
 			// get permission name + category position in parent path that has value set for that permission
-			$case = 'MAX(CASE c.CategoryId';
+			$case = 'MAX(CASE p.CatId';
 			foreach ($categories as $pos => $cat_id) {
 				$case .= ' WHEN '.$cat_id.' THEN '.$pos;
 			}
 			$case .= ' END) AS InheritedPosition';
+
 			$sql = 'SELECT '.$case.', p.Permission AS Perm
-					FROM '.TABLE_PREFIX.'Category c
-					LEFT JOIN '.$perm_live_table.' p ON p.CatId = c.CategoryId
+					FROM '.$perm_live_table.' p
 					LEFT JOIN '.TABLE_PREFIX.'PermissionConfig pc ON pc.PermissionName = p.Permission
 					WHERE
-						CategoryId IN ('.implode(',', $categories).') AND
-						ModuleId = "'.$module.'" AND
+						p.CatId IN ('.implode(',', $categories).') AND
+						pc.ModuleId = ' . $this->Conn->qstr($module) . ' AND
 						(
-							(p.GroupId = '.(int)$group_id.' AND p.Type = 0)
+							(p.GroupId = ' . (int)$group_id . ' AND p.Type = 0)
 						)
 					GROUP BY Perm';
 			$perm_positions = $this->Conn->GetCol($sql, 'Perm');