diff --git a/TODO b/TODO
index 36f2381d..b7aeccf6 100644
--- a/TODO
+++ b/TODO
@@ -6,10 +6,8 @@
 	* add support for defining max myaac version in plugin.json file
 	* cache Menus in templates
 	* don't show error indicators on first time load - createaccount page
-	* update Twig to the latest version from 1.x branch
 	* semantic versioning support for plugins (github.com/composer/semver)
 	* add some notice to the user that installing step "Import Schema" will take some time
-	* check user IP on installing to prevent install by random user
 
 1.0:
 	* i18n support (issue #1 on github)
diff --git a/install/index.php b/install/index.php
index 10e7bf6e..a408e6a8 100644
--- a/install/index.php
+++ b/install/index.php
@@ -45,6 +45,10 @@ else {
 	}
 }
 
+if($step == 'finish' && (!isset($config['installed']) || !$config['installed'])) {
+	$step = 'welcome';
+}
+
 // step verify
 $steps = array(1 => 'welcome', 2 => 'license', 3 => 'requirements', 4 => 'config', 5 => 'database', 6 => 'admin', 7 => 'finish');
 if(!in_array($step, $steps)) // check if step is valid
@@ -151,12 +155,35 @@ $error = false;
 
 clearstatcache();
 if(is_writable(CACHE) && (MYAAC_OS != 'WINDOWS' || win_is_writable(CACHE))) {
-	ob_start();
+	if(!file_exists(BASE . 'install/ip.txt')) {
+		$content = warning('AAC installation is disabled. To enable it make file <b>ip.txt</b> in install/ directory and put there your IP.<br/>
+		Your IP is:<br /><b>' . $_SERVER['REMOTE_ADDR'] . '</b>', true);
+	}
+	else {
+		$file_content = trim(file_get_contents(BASE . 'install/ip.txt'));
+		$allow = false;
+		$listIP = preg_split('/\s+/', $file_content);
+		foreach($listIP as $ip) {
+			if($_SERVER['REMOTE_ADDR'] == $ip) {
+				$allow = true;
+			}
+		}
+		
+		if(!$allow)
+		{
+			$content = warning('In file <b>install/ip.txt</b> must be your IP!<br/>
+			In file is:<br /><b>' . nl2br($file_content) . '</b><br/>
+			Your IP is:<br /><b>' . $_SERVER['REMOTE_ADDR'] . '</b>', true);
+		}
+		else {
+			ob_start();
 
-	$step_id = array_search($step, $steps);
-	require('steps/' . $step_id . '-' . $step . '.php');
-	$content = ob_get_contents();
-	ob_end_clean();
+			$step_id = array_search($step, $steps);
+			require('steps/' . $step_id . '-' . $step . '.php');
+			$content = ob_get_contents();
+			ob_end_clean();
+		}
+	}
 }
 else {
 	$content = error(file_get_contents(BASE . 'install/includes/twig_error.html'), true);
diff --git a/install/ip.txt b/install/ip.txt
new file mode 100644
index 00000000..d8111c20
--- /dev/null
+++ b/install/ip.txt
@@ -0,0 +1,3 @@
+127.0.0.1
+127.0.0.2
+::1
\ No newline at end of file
diff --git a/system/template.php b/system/template.php
index 68d39471..4bebd4ac 100644
--- a/system/template.php
+++ b/system/template.php
@@ -15,22 +15,18 @@ if($config['template_allow_change'])
 {
 	if(isset($_GET['template']))
 	{
-		$template_name = $_GET['template'];
 		if(!preg_match("/[^A-z0-9_\-]/", $template_name)) { // validate template
 			//setcookie('template', $template_name, 0, BASE_DIR . '/', $_SERVER["SERVER_NAME"]);
+			$template_name = $_GET['template'];
 			setSession('template', $template_name);
 			header('Location:' . getSession('last_uri'));
 		}
-		else
-			$template_name = $config['template'];
 	}
 	else {
 		$template_session = getSession('template');
 		if ($template_session !== false) {
 			if (!preg_match("/[^A-z0-9_\-]/", $template_session)) {
 				$template_name = $template_session;
-			} else {
-				$template_name = $config['template'];
 			}
 		}
 	}