diff --git a/htdocs/don/card.php b/htdocs/don/card.php
index 91a13a93093..459c892a1d9 100644
--- a/htdocs/don/card.php
+++ b/htdocs/don/card.php
@@ -48,6 +48,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php';
 $langs->loadLangs(array('bills', 'companies', 'donations', 'users'));
 
 $id = GETPOST('rowid') ?GETPOST('rowid', 'int') : GETPOST('id', 'int');
+$ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 $cancel = GETPOST('cancel', 'alpha');
 $confirm = GETPOST('confirm', 'alpha');
@@ -58,10 +59,11 @@ $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0);
 $public_donation = (int) GETPOST("public", 'int');
 
 $object = new Don($db);
-$extrafields = new ExtraFields($db);
+if ($id > 0 || $ref) {
+	$object->fetch($id, $ref);
+}
 
-// Security check
-$result = restrictedArea($user, 'don', $id);
+$extrafields = new ExtraFields($db);
 
 // fetch optionals attributes and labels
 $extrafields->fetch_name_optionals_label($object->table_element);
@@ -71,6 +73,11 @@ $search_array_options = $extrafields->getOptionalsFromPost($object->table_elemen
 $hookmanager->initHooks(array('doncard', 'globalcard'));
 
 $upload_dir = $conf->don->dir_output;
+
+
+// Security check
+$result = restrictedArea($user, 'don', $object->id);
+
 $permissiontoadd = $user->rights->don->creer;
 
 
diff --git a/htdocs/don/document.php b/htdocs/don/document.php
index b6b7e6a24d3..a5aa3984202 100644
--- a/htdocs/don/document.php
+++ b/htdocs/don/document.php
@@ -49,13 +49,6 @@ $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');
 $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0);
 
-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'don', $id, '');
-
-
 // Get parameters
 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST('sortfield', 'aZ09comma');
@@ -74,13 +67,20 @@ if (!$sortfield) {
 	$sortfield = "name";
 }
 
-
 $object = new Don($db);
-$object->fetch($id, $ref);
+if ($id > 0 || $ref) {
+	$object->fetch($id, $ref);
+}
 
 $upload_dir = $conf->don->dir_output.'/'.get_exdir($id, 0, 0, 0, $object, 'donation').'/'.dol_sanitizeFileName($object->ref);
 $modulepart = 'don';
 
+// Security check
+if ($user->socid) {
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'don', $object->id);
+
 $permissiontoadd = $user->rights->don->creer;	// Used by the include of actions_dellink.inc.php
 
 
diff --git a/htdocs/don/index.php b/htdocs/don/index.php
index 721cfb8d67a..c402ecd6f0e 100644
--- a/htdocs/don/index.php
+++ b/htdocs/don/index.php
@@ -35,11 +35,11 @@ $hookmanager->initHooks(array('donationindex'));
 
 $langs->load("donations");
 
+$donation_static = new Don($db);
+
 // Security check
 $result = restrictedArea($user, 'don');
 
-$donation_static = new Don($db);
-
 
 /*
  * Actions
diff --git a/htdocs/don/info.php b/htdocs/don/info.php
index 82dd9842210..ad67cceb30c 100644
--- a/htdocs/don/info.php
+++ b/htdocs/don/info.php
@@ -38,14 +38,17 @@ $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0);
 
+$object = new Don($db);
+if ($id > 0 || $ref) {
+	$object->fetch($id, $ref);
+}
+
 // Security check
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$result = restrictedArea($user, 'don', $id, '');
+$result = restrictedArea($user, 'don', $object->id);
 
-$object = new Don($db);
-$object->fetch($id);
 
 
 /*
diff --git a/htdocs/don/list.php b/htdocs/don/list.php
index c3cb4d9ce58..2de55bbcc44 100644
--- a/htdocs/don/list.php
+++ b/htdocs/don/list.php
@@ -88,6 +88,11 @@ $fieldstosearchall = array(
 	'd.firstname'=>'Firstname',
 );
 
+// Security check
+$result = restrictedArea($user, 'don');
+
+
+
 
 /*
  * View
diff --git a/htdocs/don/note.php b/htdocs/don/note.php
index 4d84c4b1417..dd3f4e176ce 100644
--- a/htdocs/don/note.php
+++ b/htdocs/don/note.php
@@ -43,17 +43,19 @@ $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0);
 
+$hookmanager->initHooks(array('donnote'));
+
+$object = new Don($db);
+if ($id > 0 || $ref) {
+	$object->fetch($id, $ref);
+}
+
 // Security check
 $socid = 0;
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$hookmanager->initHooks(array('donnote'));
-
-$result = restrictedArea($user, 'don', $id, '');
-
-$object = new Don($db);
-$object->fetch($id);
+$result = restrictedArea($user, 'don', $object->id, '');
 
 $permissionnote = $user->rights->don->creer; // Used by the include of actions_setnotes.inc.php