diff --git a/interface/patient_file/pos_checkout_normal.php b/interface/patient_file/pos_checkout_normal.php
@@ -55,10 +55,16 @@
 use OpenEMR\Billing\BillingUtilities;
 use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 use OpenEMR\OeUI\OemrUI;
 use OpenEMR\Services\FacilityService;
 
+if (!AclMain::aclCheckCore('acct', 'bill', '', 'write')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Patient Checkout")]);
+    exit;
+}
+
 $facilityService = new FacilityService();
 
 $currdecimals = $GLOBALS['currency_decimals'];

diff --git a/interface/patient_file/summary/demographics.php b/interface/patient_file/summary/demographics.php
@@ -908,7 +908,7 @@ function setMyPatient() {
     $thisauth = AclMain::aclCheckCore('patients', 'demo');
 
     if (!$thisauth || !$viewEvent->authorized()) {
-        echo $twig->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Medical Dashboard")]);
+        echo $twig->getTwig()->render('core/unauthorized-partial.html.twig', ['pageTitle' => xl("Medical Dashboard")]);
         exit();
     }
     ?>

diff --git a/interface/patient_file/summary/labdata.php b/interface/patient_file/summary/labdata.php
@@ -37,9 +37,16 @@
 require_once("../../../library/options.inc.php");
 require_once($GLOBALS["srcdir"] . "/api.inc");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'lab')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Labs")]);
+    exit;
+}
+
 // Set the path to this script
 $path_to_this_script = $rootdir . "/patient_file/summary/labdata.php";
 

diff --git a/interface/patient_file/transaction/record_request.php b/interface/patient_file/transaction/record_request.php
@@ -12,9 +12,16 @@
 
 require_once("../../globals.php");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Patient Records Request")]);
+    exit;
+}
+
 ?>
 <html>
 <head>

diff --git a/interface/reports/amc_tracking.php b/interface/reports/amc_tracking.php
@@ -15,9 +15,16 @@
 require_once "$srcdir/options.inc.php";
 require_once "$srcdir/amc.php";
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Automated Measure Calculations (AMC) Tracking")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/appt_encounter_report.php b/interface/reports/appt_encounter_report.php
@@ -33,21 +33,23 @@
 require_once("../../custom/code_types.inc.php");
 
 use OpenEMR\Billing\BillingUtilities;
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 use OpenEMR\Services\FacilityService;
-use OpenEMR\Common\Acl\AclMain;
+
+if (!AclMain::aclCheckCore('acct', 'rep_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Appointments and Encounters")]);
+    exit;
+}
 
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();
     }
 }
 
-if (!AclMain::aclCheckCore('patients', 'appt') || !AclMain::aclCheckCore('acct', 'rep_a')) {
-    die(xlt("Unauthorized access."));
-}
-
 $facilityService = new FacilityService();
 
 $errmsg  = "";

diff --git a/interface/reports/clinical_reports.php b/interface/reports/clinical_reports.php
@@ -17,9 +17,16 @@
 require_once("../drugs/drugs.inc.php");
 require_once("../../custom/code_types.inc.php");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Clinical Reports")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/custom_report_range.php b/interface/reports/custom_report_range.php
@@ -15,11 +15,18 @@
 require_once("$srcdir/patient.inc");
 require_once("$srcdir/report.inc");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Billing\BillingUtilities;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 use OpenEMR\Services\FacilityService;
 
+if (!AclMain::aclCheckCore('encounters', 'coding_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Superbill")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/daily_summary_report.php b/interface/reports/daily_summary_report.php
@@ -19,10 +19,17 @@
 require_once "$srcdir/options.inc.php";
 require_once "$srcdir/appointments.inc.php";
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 use OpenEMR\Services\FacilityService;
 
+if (!AclMain::aclCheckCore('acct', 'rep_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Daily Summary Report")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/encounters_report.php b/interface/reports/encounters_report.php
@@ -22,10 +22,17 @@
 require_once("$srcdir/patient.inc");
 require_once "$srcdir/options.inc.php";
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Billing\BillingUtilities;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('encounters', 'coding_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Encounters Report")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/front_receipts_report.php b/interface/reports/front_receipts_report.php
@@ -16,9 +16,16 @@
 require_once("$srcdir/patient.inc");
 require_once "$srcdir/options.inc.php";
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('acct', 'rep_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Front Office Receipts")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/immunization_report.php b/interface/reports/immunization_report.php
@@ -14,9 +14,16 @@
 require_once("../globals.php");
 require_once("$srcdir/patient.inc");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Immunization Registry")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/insurance_allocation_report.php b/interface/reports/insurance_allocation_report.php
@@ -15,9 +15,16 @@
 require_once("../globals.php");
 require_once("../../library/patient.inc");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('acct', 'rep_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Patient Insurance Distribution")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/non_reported.php b/interface/reports/non_reported.php
@@ -22,9 +22,16 @@
 require_once("$srcdir/patient.inc");
 require_once("../../custom/code_types.inc.php");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Syndromic Surveillance - Non Reported Issues")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/patient_list_creation.php b/interface/reports/patient_list_creation.php
@@ -19,9 +19,16 @@
 require_once("../drugs/drugs.inc.php");
 require_once("$srcdir/payment_jav.inc.php");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Patient List Creation")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();
@@ -198,18 +205,18 @@ function srch_option_change(elem) {
                 $('#sortby').val('');
                 $('#sortorder').val('');
 
-                if(elem.value == 'Communication') { 
+                if(elem.value == 'Communication') {
                     $('#communication').val('');
                     $('#com_pref').show();
-                } else { 
+                } else {
                     $('#communication').val('');
                     $('#com_pref').hide();
                 }
-                
-                if(elem.value == 'Insurance Companies') { 
+
+                if(elem.value == 'Insurance Companies') {
                     $('#insurance_companies').val('');
                     $('#ins_co').show();
-                } else { 
+                } else {
                     $('#insurance_companies').val('');
                     $('#ins_co').hide();
                     }
@@ -268,10 +275,10 @@ function srch_option_change(elem) {
                                 </td>
                                 <td class='col-form-label'><?php echo xlt('Option'); ?>: </td>
                                 <td class='col-form-label'>
-                                    <select class="form-control" name="srch_option" id="srch_option" 
+                                    <select class="form-control" name="srch_option" id="srch_option"
                                         onchange="srch_option_change(this)">
                                         <?php foreach ($search_options as $skey => $svalue) { ?>
-                                            <option <?php echo (!empty($_POST['srch_option']) && ($_POST['srch_option'] == $skey)) ? 'selected' : ''; ?> 
+                                            <option <?php echo (!empty($_POST['srch_option']) && ($_POST['srch_option'] == $skey)) ? 'selected' : ''; ?>
                                             value="<?php echo attr($skey); ?>"><?php echo text($svalue); ?></option>
                                         <?php } ?>
                                     </select>

diff --git a/interface/reports/prescriptions_report.php b/interface/reports/prescriptions_report.php
@@ -18,9 +18,16 @@
 require_once("$srcdir/options.inc.php");
 require_once("../drugs/drugs.inc.php");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'rx')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Prescriptions and Dispensations")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/receipts_by_method_report.php b/interface/reports/receipts_by_method_report.php
@@ -28,10 +28,16 @@
 
 use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 use OpenEMR\Services\InsuranceCompanyService;
 use OpenEMR\Services\InsuranceService;
 
+if (!AclMain::aclCheckCore('acct', 'rep_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Receipts Summary")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();
@@ -228,10 +234,6 @@ function payerCmp($a, $b)
     return 0;
 }
 
-if (! AclMain::aclCheckCore('acct', 'rep')) {
-    die(xlt("Unauthorized access."));
-}
-
 $form_from_date = (isset($_POST['form_from_date'])) ? DateToYYYYMMDD($_POST['form_from_date']) : date('Y-m-d');
 $form_to_date   = (isset($_POST['form_to_date'])) ? DateToYYYYMMDD($_POST['form_to_date']) : date('Y-m-d');
 $form_use_edate = $_POST['form_use_edate'] ?? null;

diff --git a/interface/reports/referrals_report.php b/interface/reports/referrals_report.php
@@ -18,9 +18,16 @@
 require_once("$srcdir/patient.inc");
 require_once "$srcdir/options.inc.php";
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Referrals")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/report_results.php b/interface/reports/report_results.php
@@ -18,9 +18,16 @@
 require_once "$srcdir/report_database.inc";
 
 use OpenEMR\ClinicialDecisionRules\AMC\CertificationReportTypes;
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('patients', 'med')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Report Results/History")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/reports/sales_by_item.php b/interface/reports/sales_by_item.php
@@ -20,15 +20,26 @@
 
 use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('acct', 'rep') && !AclMain::aclCheckCore('acct', 'rep_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Sales by Item")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();
     }
 }
 
 $form_provider  = $_POST['form_provider'] ?? null;
+if (!AclMain::aclCheckCore('acct', 'rep_a')) {
+    // only allow user to see their encounter information
+    $form_provider = $_SESSION['authUserID'];
+}
+
 if (!empty($_POST['form_refresh']) || !empty($_POST['form_csvexport'])) {
     $form_details = (!empty($_POST['form_details'])) ? true : false;
 } else {
@@ -248,10 +259,6 @@ function thisLineItem($patient_id, $encounter_id, $rowcat, $description, $transd
     $grandqty     += $qty;
 } // end function
 
-if (! AclMain::aclCheckCore('acct', 'rep')) {
-    die(xlt("Unauthorized access."));
-}
-
 $form_from_date = (isset($_POST['form_from_date'])) ? DateToYYYYMMDD($_POST['form_from_date']) : date('Y-m-d');
 $form_to_date   = (isset($_POST['form_to_date'])) ? DateToYYYYMMDD($_POST['form_to_date']) : date('Y-m-d');
 $form_facility  = $_POST['form_facility'] ?? null;

diff --git a/interface/reports/svc_code_financial_report.php b/interface/reports/svc_code_financial_report.php
@@ -26,8 +26,14 @@
 
 use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('acct', 'rep_a')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Financial Summary by Service Code")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();
@@ -40,11 +46,6 @@
 $grand_total_amt_adjustment  = 0;
 $grand_total_amt_balance  = 0;
 
-
-if (!AclMain::aclCheckCore('acct', 'rep')) {
-    die(xlt("Unauthorized access."));
-}
-
 $form_from_date = (isset($_POST['form_from_date'])) ? DateToYYYYMMDD($_POST['form_from_date']) : date('Y-m-d');
 $form_to_date   = (isset($_POST['form_to_date'])) ? DateToYYYYMMDD($_POST['form_to_date']) : date('Y-m-d');
 $form_facility  = $_POST['form_facility'] ?? null;

diff --git a/interface/super/rules/include/header.php b/interface/super/rules/include/header.php
@@ -8,11 +8,18 @@
  // of the License, or (at your option) any later version.
 
 
-require("../../globals.php");
-
+require_once("../../globals.php");
 require_once("ui.php");
 require_once("common.php");
 
+use OpenEMR\Common\Acl\AclMain;
+use OpenEMR\Common\Twig\TwigContainer;
+
+if (!AclMain::aclCheckCore('admin', 'super')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Rules")]);
+    exit;
+}
+
 // recursively require all .php files in the base library folder
 foreach (glob(base_dir() . "base/library/*.php") as $filename) {
     require_once($filename);

diff --git a/interface/usergroup/addrbook_list.php b/interface/usergroup/addrbook_list.php
@@ -20,8 +20,14 @@
 
 use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 
+if (!AclMain::aclCheckCore('admin', 'practice')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Address Book")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/interface/usergroup/facilities.php b/interface/usergroup/facilities.php
@@ -16,10 +16,17 @@
 
 require_once("../globals.php");
 
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
 use OpenEMR\Core\Header;
 use OpenEMR\Services\FacilityService;
 
+if (!AclMain::aclCheckCore('admin', 'users')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Facilities")]);
+    exit;
+}
+
 if (!empty($_POST)) {
     if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
         CsrfUtils::csrfNotVerified();

diff --git a/library/dicom_frame.php b/library/dicom_frame.php
@@ -18,8 +18,15 @@
 
 require_once('../interface/globals.php');
 
-use OpenEMR\Core\Header;
+use OpenEMR\Common\Acl\AclMain;
 use OpenEMR\Common\Csrf\CsrfUtils;
+use OpenEMR\Common\Twig\TwigContainer;
+use OpenEMR\Core\Header;
+
+if (!AclMain::aclCheckCore('patients', 'docs')) {
+    echo (new TwigContainer(null, $GLOBALS['kernel']))->getTwig()->render('core/unauthorized.html.twig', ['pageTitle' => xl("Dicom Viewer")]);
+    exit;
+}
 
 $web_path = $_REQUEST['web_path'] ?? null;
 if ($web_path) {

diff --git a/src/Common/Acl/AclMain.php b/src/Common/Acl/AclMain.php
@@ -157,12 +157,9 @@ public static function clearGaclCache()
      * @param string       $value        Subcategory of ACO
      * @param string       $user         Optional user being checked for access.
      * @param string|array $return_value Type or types of access being requested.
-     * @return bool|array  FALSE if access is denied, TRUE if allowed. An
-     *                     array() of bools is returned if $return_value is an
-     *             array, representing results for each type of access
-     *             requested.
+     * @return bool  FALSE if access is denied, TRUE if allowed.
      */
-    public static function aclCheckCore($section, $value, $user = '', $return_value = '')
+    public static function aclCheckCore($section, $value, $user = '', $return_value = ''): bool
     {
         if (! $user) {
             $user = $_SESSION['authUser'];

diff --git a/templates/core/unauthorized-partial.html.twig b/templates/core/unauthorized-partial.html.twig
@@ -0,0 +1,7 @@
+<div class="d-flex w-100 h-75 align-items-center justify-content-center">
+    <h3>
+        {{ pageTitle|text }} {{ "Not Authorized"|xlt }}
+    </h3>
+</div>
+</body>
+</html>
diff --git a/templates/core/unauthorized.html.twig b/templates/core/unauthorized.html.twig
@@ -1,7 +1,13 @@
-<div class="d-flex w-100 h-75 align-items-center justify-content-center">
-    <h3>
-        {{ pageTitle|text }} {{ "Not Authorized"|xlt }}
-    </h3>
-</div>
-</body>
+<html>
+    <head>
+        <title>{{ pageTitle|text }}</title>
+        {{ setupHeader() }}
+    </head>
+    <body>
+        <div class="d-flex w-100 h-75 align-items-center justify-content-center">
+            <h3>
+                {{ pageTitle|text }} {{ "Not Authorized"|xlt }}
+            </h3>
+        </div>
+    </body>
 </html>