diff --git a/htdocs/contrat/fiche.php b/htdocs/contrat/fiche.php
index 6d3fc3aaa56..0efa28f0981 100644
--- a/htdocs/contrat/fiche.php
+++ b/htdocs/contrat/fiche.php
@@ -38,10 +38,39 @@ $langs->load("orders");
 $langs->load("companies");
 
 $user->getrights('contrat');
+$user->getrights('commercial');
 
 if (! $user->rights->contrat->lire)
 accessforbidden();
 
+// Sécurité accés client et commerciaux
+$contratid = isset($_GET["id"])?$_GET["id"]:'';
+
+if ($user->societe_id > 0)
+{
+    $action = '';
+    $socidp = $user->societe_id;
+}
+
+// Protection restriction commercial
+if ($contratid)
+{
+        $sql = "SELECT sc.fk_soc, c.fk_soc";
+        $sql .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc, ".MAIN_DB_PREFIX."contrat as c";
+        $sql .= " WHERE c.rowid = ".$contratid;
+        if (!$user->rights->commercial->client->voir && !$user->societe_id > 0)
+        {
+        	$sql .= " AND sc.fk_soc = c.fk_soc AND sc.fk_user = ".$user->id;
+        }
+        if ($user->societe_id > 0) $sql .= " AND c.fk_soc = ".$socidp;
+
+        if ( $db->query($sql) )
+        {
+          if ( $db->num_rows() == 0) accessforbidden();
+        }
+}
+
+
 // Param si create
 $date_start='';
 $date_end='';
@@ -75,13 +104,6 @@ if ($_POST["date_end_real_updatemonth"] && $_POST["date_end_real_updateday"] &&
     $date_end_real_update=mktime(12, 0 , 0, $_POST["date_end_real_updatemonth"], $_POST["date_end_real_updateday"], $_POST["date_end_real_updateyear"]);
 }
 
-// Sécurité accés client
-if ($user->societe_id > 0)
-{
-    $action = '';
-    $socidp = $user->societe_id;
-}
-
 
 /*
  * Actions