diff --git a/htdocs/projet/ajax/projects.php b/htdocs/projet/ajax/projects.php
index 74d9236d26d..e420467d803 100644
--- a/htdocs/projet/ajax/projects.php
+++ b/htdocs/projet/ajax/projects.php
@@ -51,6 +51,9 @@ $htmlname = GETPOST('htmlname', 'aZ09');
 $socid = GETPOST('socid', 'int');
 $discard_closed = GETPOST('discardclosed', 'int');
 
+// Security check
+restrictedArea($user, 'projet', 0, 'projet&project');
+
 
 /*
  * View
diff --git a/htdocs/projet/card.php b/htdocs/projet/card.php
index 916f23eb056..95fd6388911 100644
--- a/htdocs/projet/card.php
+++ b/htdocs/projet/card.php
@@ -78,17 +78,17 @@ if ($id > 0 || !empty($ref)) {
 	}
 }
 
-// Security check
-$socid = GETPOST('socid', 'int');
-//if ($user->socid > 0) $socid = $user->socid;    // For external user, no check is done on company because readability is managed by public status of project and assignement.
-$result = restrictedArea($user, 'projet', $object->id, 'projet&project');
-
 // fetch optionals attributes and labels
 $extrafields->fetch_name_optionals_label($object->table_element);
 
 $date_start = dol_mktime(0, 0, 0, GETPOST('projectstartmonth', 'int'), GETPOST('projectstartday', 'int'), GETPOST('projectstartyear', 'int'));
 $date_end = dol_mktime(0, 0, 0, GETPOST('projectendmonth', 'int'), GETPOST('projectendday', 'int'), GETPOST('projectendyear', 'int'));
 
+// Security check
+$socid = GETPOST('socid', 'int');
+//if ($user->socid > 0) $socid = $user->socid;    // For external user, no check is done on company because readability is managed by public status of project and assignement.
+restrictedArea($user, 'projet', $object->id, 'projet&project');
+
 
 /*
  * Actions