diff --git a/htdocs/projet/commandes.php b/htdocs/projet/commandes.php
index 933f516da91..a383566134a 100644
--- a/htdocs/projet/commandes.php
+++ b/htdocs/projet/commandes.php
@@ -43,11 +43,31 @@ if (!$user->rights->projet->lire) accessforbidden();
 /*
  * Sécurité accés client
  */
+$projetid='';
+if ($_GET["id"]) { $projetid=$_GET["id"]; }
+
+if ($projetid == '') accessforbidden();
+
 if ($user->societe_id > 0) 
 {
   $socidp = $user->societe_id;
 }
 
+// Protection restriction commercial
+if ($projetid)
+{
+        $sql = "SELECT sc.fk_soc, p.rowid, p.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."projet as p";
+        $sql .= " WHERE p.rowid = ".$projetid;
+        if (!$user->rights->commercial->client->voir && !$socidp) $sql .= " AND sc.fk_soc = p.fk_soc AND fk_user = ".$user->id;
+        if ($socidp) $sql .= " AND p.fk_soc = ".$socidp;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
+}
+
 
 llxHeader("","../");
 
diff --git a/htdocs/projet/fiche.php b/htdocs/projet/fiche.php
index e36b00dc87f..b0289d2eb2d 100644
--- a/htdocs/projet/fiche.php
+++ b/htdocs/projet/fiche.php
@@ -34,6 +34,35 @@ require_once(DOL_DOCUMENT_ROOT."/commande/commande.class.php");
 
 if (!$user->rights->projet->lire) accessforbidden();
 
+/*
+ * Sécurité accés client
+ */
+$projetid='';
+if ($_GET["id"]) { $projetid=$_GET["id"]; }
+
+if ($projetid == '') accessforbidden();
+
+if ($user->societe_id > 0) 
+{
+  $socidp = $user->societe_id;
+}
+
+// Protection restriction commercial
+if ($projetid)
+{
+        $sql = "SELECT sc.fk_soc, p.rowid, p.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."projet as p";
+        $sql .= " WHERE p.rowid = ".$projetid;
+        if (!$user->rights->commercial->client->voir && !$socidp) $sql .= " AND sc.fk_soc = p.fk_soc AND fk_user = ".$user->id;
+        if ($socidp) $sql .= " AND p.fk_soc = ".$socidp;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
+}
+
+
 if ($_POST["action"] == 'add' && $user->rights->projet->creer)
 {
   $pro = new Project($db);
diff --git a/htdocs/projet/index.php b/htdocs/projet/index.php
index b636b33694e..5d272dd4e3f 100644
--- a/htdocs/projet/index.php
+++ b/htdocs/projet/index.php
@@ -33,12 +33,34 @@ $langs->load("projects");
 
 if (!$user->rights->projet->lire) accessforbidden();
 
-// Sécurité accés client
+/*
+ * Sécurité accés client
+ */
+$projetid='';
+if ($_GET["id"]) { $projetid=$_GET["id"]; }
+
+if ($projetid == '') accessforbidden();
+
 if ($user->societe_id > 0) 
 {
   $socidp = $user->societe_id;
 }
 
+// Protection restriction commercial
+if ($projetid)
+{
+        $sql = "SELECT sc.fk_soc, p.rowid, p.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."projet as p";
+        $sql .= " WHERE p.rowid = ".$projetid;
+        if (!$user->rights->commercial->client->voir && !$socidp) $sql .= " AND sc.fk_soc = p.fk_soc AND fk_user = ".$user->id;
+        if ($socidp) $sql .= " AND p.fk_soc = ".$socidp;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
+}
+
 llxHeader("",$langs->trans("Projects"),"Projet");
 
 print_fiche_titre($langs->trans("ProjectsArea"));
diff --git a/htdocs/projet/propal.php b/htdocs/projet/propal.php
index 63d7e571a1d..15cfadc750b 100644
--- a/htdocs/projet/propal.php
+++ b/htdocs/projet/propal.php
@@ -44,11 +44,31 @@ if (!$user->rights->projet->lire) accessforbidden();
 /*
  * Sécurité accés client
  */
+$projetid='';
+if ($_GET["id"]) { $projetid=$_GET["id"]; }
+
+if ($projetid == '') accessforbidden();
+
 if ($user->societe_id > 0) 
 {
   $socidp = $user->societe_id;
 }
 
+// Protection restriction commercial
+if ($projetid)
+{
+        $sql = "SELECT sc.fk_soc, p.rowid, p.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."projet as p";
+        $sql .= " WHERE p.rowid = ".$projetid;
+        if (!$user->rights->commercial->client->voir && !$socidp) $sql .= " AND sc.fk_soc = p.fk_soc AND fk_user = ".$user->id;
+        if ($socidp) $sql .= " AND p.fk_soc = ".$socidp;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
+}
+
 
 llxHeader("","../");
 
diff --git a/htdocs/projet/tasks/fiche.php b/htdocs/projet/tasks/fiche.php
index 382bc39bc6a..6909c70634b 100644
--- a/htdocs/projet/tasks/fiche.php
+++ b/htdocs/projet/tasks/fiche.php
@@ -36,12 +36,31 @@ if (!$user->rights->projet->lire) accessforbidden();
 /*
  * Sécurité accés client
  */
+$projetid='';
+if ($_GET["id"]) { $projetid=$_GET["id"]; }
+
+if ($projetid == '') accessforbidden();
+
 if ($user->societe_id > 0) 
 {
-  $action = '';
   $socidp = $user->societe_id;
 }
 
+// Protection restriction commercial
+if ($projetid)
+{
+        $sql = "SELECT sc.fk_soc, p.rowid, p.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."projet as p";
+        $sql .= " WHERE p.rowid = ".$projetid;
+        if (!$user->rights->commercial->client->voir && !$socidp) $sql .= " AND sc.fk_soc = p.fk_soc AND fk_user = ".$user->id;
+        if ($socidp) $sql .= " AND p.fk_soc = ".$socidp;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
+}
+
 Function PLines(&$inc, $parent, $lines, &$level, $actors)
 {
   $form = new Form($db); // $db est null ici mais inutile pour la fonction select_date()