diff --git a/htdocs/expensereport/document.php b/htdocs/expensereport/document.php
index 53d4d51ba84..356165c1c2c 100644
--- a/htdocs/expensereport/document.php
+++ b/htdocs/expensereport/document.php
@@ -42,6 +42,8 @@ $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');
 
+$childids = $user->getAllChildIds(1);
+
 // Security check
 if ($user->socid) $socid = $user->socid;
 $result = restrictedArea($user, 'expensereport', $id, 'expensereport');
@@ -61,7 +63,10 @@ if (!$sortfield) $sortfield = "position_name";
 
 
 $object = new ExpenseReport($db);
-$object->fetch($id, $ref);
+if (!$object->fetch($id, $ref) > 0)
+{
+	dol_print_error($db);
+}
 
 $upload_dir = $conf->expensereport->dir_output.'/'.dol_sanitizeFileName($object->ref);
 $modulepart = 'trip';
@@ -69,6 +74,18 @@ $modulepart = 'trip';
 // Load object
 //include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php';  // Must be include, not include_once  // Must be include, not include_once. Include fetch and fetch_thirdparty but not fetch_optionals
 
+if ($object->id > 0)
+{
+	// Check current user can read this expense report
+	$canread = 0;
+	if (!empty($user->rights->expensereport->readall)) $canread = 1;
+	if (!empty($user->rights->expensereport->lire) && in_array($object->fk_user_author, $childids)) $canread = 1;
+	if (!$canread)
+	{
+		accessforbidden();
+	}
+}
+
 
 /*
  * Actions
diff --git a/htdocs/expensereport/info.php b/htdocs/expensereport/info.php
index b52680ad215..0b50a69071f 100644
--- a/htdocs/expensereport/info.php
+++ b/htdocs/expensereport/info.php
@@ -31,11 +31,33 @@ require_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport.class.php';
 // Load translation files required by the page
 $langs->load("trips");
 
-// Security check
 $id = GETPOST('id', 'int');
+$ref = GETPOST('ref', 'alpha');
+
+$childids = $user->getAllChildIds(1);
+
+// Security check
 if ($user->socid) $socid = $user->socid;
 $result = restrictedArea($user, 'expensereport', $id, 'expensereport');
 
+$object = new ExpenseReport($db);
+if (!$object->fetch($id, $ref) > 0)
+{
+	dol_print_error($db);
+}
+
+if ($object->id > 0)
+{
+	// Check current user can read this expense report
+	$canread = 0;
+	if (!empty($user->rights->expensereport->readall)) $canread = 1;
+	if (!empty($user->rights->expensereport->lire) && in_array($object->fk_user_author, $childids)) $canread = 1;
+	if (!$canread)
+	{
+		accessforbidden();
+	}
+}
+
 
 /*
  * View
diff --git a/htdocs/expensereport/note.php b/htdocs/expensereport/note.php
index b95288d908e..171e8980fab 100644
--- a/htdocs/expensereport/note.php
+++ b/htdocs/expensereport/note.php
@@ -37,6 +37,8 @@ $ref = GETPOST('ref', 'alpha');
 $socid = GETPOST('socid', 'int');
 $action = GETPOST('action', 'aZ09');
 
+$childids = $user->getAllChildIds(1);
+
 // Security check
 $socid = 0;
 if ($user->socid) $socid = $user->socid;
@@ -51,6 +53,18 @@ if (!$object->fetch($id, $ref) > 0)
 
 $permissionnote = $user->rights->expensereport->creer; // Used by the include of actions_setnotes.inc.php
 
+if ($object->id > 0)
+{
+	// Check current user can read this expense report
+	$canread = 0;
+	if (!empty($user->rights->expensereport->readall)) $canread = 1;
+	if (!empty($user->rights->expensereport->lire) && in_array($object->fk_user_author, $childids)) $canread = 1;
+	if (!$canread)
+	{
+		accessforbidden();
+	}
+}
+
 
 /*
  * Actions