diff --git a/htdocs/bom/bom_note.php b/htdocs/bom/bom_note.php
index 1110bb4b0d4..539eb654751 100644
--- a/htdocs/bom/bom_note.php
+++ b/htdocs/bom/bom_note.php
@@ -97,45 +97,7 @@ if ($id > 0 || !empty($ref)) {
 	$linkback = '<a href="'.dol_buildpath('/bom/bom_list.php', 1).'?restore_lastsearch_values=1'.(!empty($socid) ? '&socid='.$socid : '').'">'.$langs->trans("BackToList").'</a>';
 
 	$morehtmlref = '<div class="refidno">';
-	/*
-	// Ref customer
-	$morehtmlref.=$form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1);
-	$morehtmlref.=$form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', null, null, '', 1);
-	// Thirdparty
-	$morehtmlref.='<br>'.$langs->trans('ThirdParty') . ' : ' . $object->thirdparty->getNomUrl(1);
-	// Project
-	if (! empty($conf->projet->enabled))
-	{
-		$langs->load("projects");
-		$morehtmlref.='<br>'.$langs->trans('Project') . ' ';
-		if ($user->rights->bom->creer)
-		{
-			if ($action != 'classify')
-				//$morehtmlref.='<a class="editfielda" href="' . $_SERVER['PHP_SELF'] . '?action=classify&amp;id=' . $object->id . '">' . img_edit($langs->transnoentitiesnoconv('SetProject')) . '</a> : ';
-				$morehtmlref.=' : ';
-				if ($action == 'classify') {
-					//$morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'projectid', 0, 0, 1, 1);
-					$morehtmlref.='<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'">';
-					$morehtmlref.='<input type="hidden" name="action" value="classin">';
-					$morehtmlref.='<input type="hidden" name="token" value="'.newToken().'">';
-					$morehtmlref.=$formproject->select_projects($object->socid, $object->fk_project, 'projectid', $maxlength, 0, 1, 0, 1, 0, 0, '', 1);
-					$morehtmlref.='<input type="submit" class="button valignmiddle" value="'.$langs->trans("Modify").'">';
-					$morehtmlref.='</form>';
-				} else {
-					$morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'none', 0, 0, 0, 1);
-				}
-		} else {
-			if (! empty($object->fk_project)) {
-				$proj = new Project($db);
-				$proj->fetch($object->fk_project);
-				$morehtmlref.='<a href="'.DOL_URL_ROOT.'/projet/card.php?id=' . $object->fk_project . '" title="' . $langs->trans('ShowProject') . '">';
-				$morehtmlref.=$proj->ref;
-				$morehtmlref.='</a>';
-			} else {
-				$morehtmlref.='';
-			}
-		}
-	}*/
+
 	$morehtmlref .= '</div>';
 
 
diff --git a/htdocs/variants/list.php b/htdocs/variants/list.php
index dd55b028ff9..dcf4fdcdb43 100644
--- a/htdocs/variants/list.php
+++ b/htdocs/variants/list.php
@@ -16,12 +16,15 @@
  */
 
 require '../main.inc.php';
+require DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
 require DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php';
 
 $action = GETPOST('action', 'aZ09');
 $object = new ProductAttribute($db);
+$rowid = GETPOST('rowid', 'int');		// Id of line for up / down when no javascript available
 
 $permissiontoread = $user->rights->produit->lire || $user->rights->service->lire;
+$permissiontoadd = $user->rights->produit->creer || $user->rights->service->creer;
 
 // Security check
 if (empty($conf->variants->enabled)) {
@@ -30,6 +33,8 @@ if (empty($conf->variants->enabled)) {
 if ($user->socid > 0) { // Protection if external user
 	accessforbidden();
 }
+
+
 //$result = restrictedArea($user, 'variant');
 if (!$permissiontoread) accessforbidden();
 
@@ -39,13 +44,13 @@ if (!$permissiontoread) accessforbidden();
  * Actions
  */
 
-if ($action == 'up') {
+if ($action == 'up' && $permissiontoadd) {
 	$object->fetch($rowid);
 	$object->moveUp();
 
 	header('Location: '.$_SERVER['PHP_SELF']);
 	exit();
-} elseif ($action == 'down') {
+} elseif ($action == 'down' && $permissiontoadd) {
 	$object->fetch($rowid);
 	$object->moveDown();