diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php
index 47c8431072d..fe41203e946 100644
--- a/htdocs/comm/card.php
+++ b/htdocs/comm/card.php
@@ -86,6 +86,15 @@ $extrafields->fetch_name_optionals_label($object->table_element);
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('thirdpartycomm', 'globalcard'));
 
+// Security check
+$result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', 0);
+
+if ($object->id > 0) {
+	if (!($object->client > 0) || empty($user->rights->societe->lire)) {
+		accessforbidden();
+	}
+}
+
 $now = dol_now();
 
 
diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php
index 3df92993091..9667a67d360 100644
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -639,7 +639,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
  *	@param	int			$printheader		Show header before
  *  @param  int			$printfooter        Show footer after
  *  @param  int			$showonlymessage    Show only message parameter. Otherwise add more information.
- *  @param  array|null  $params         	Send params
+ *  @param  array|null  $params         	More parameters provided to hook
  *  @return	void
  */
 function accessforbidden($message = '', $printheader = 1, $printfooter = 1, $showonlymessage = 0, $params = null)
diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php
index 52f9a60d2be..625e1ef00b3 100644
--- a/htdocs/core/menus/standard/eldy.lib.php
+++ b/htdocs/core/menus/standard/eldy.lib.php
@@ -865,8 +865,8 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM
 			if (!empty($conf->societe->enabled) && ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) || !empty($conf->supplier_order->enabled) || !empty($conf->supplier_invoice->enabled)) || !empty($conf->supplier_proposal->enabled)))
 			{
 				$langs->load("suppliers");
-				$newmenu->add("/societe/list.php?type=f&leftmenu=suppliers", $langs->trans("ListSuppliersShort"), 2, ($user->rights->fournisseur->lire || $user->rights->supplier_proposal->lire), '', $mainmenu, 'suppliers');
-				$newmenu->add("/societe/card.php?leftmenu=suppliers&action=create&type=f", $langs->trans("MenuNewSupplier"), 3, $user->rights->societe->creer && ($user->rights->fournisseur->lire || $user->rights->supplier_proposal->lire));
+				$newmenu->add("/societe/list.php?type=f&leftmenu=suppliers", $langs->trans("ListSuppliersShort"), 2, ($user->rights->fournisseur->lire), '', $mainmenu, 'suppliers');
+				$newmenu->add("/societe/card.php?leftmenu=suppliers&action=create&type=f", $langs->trans("MenuNewSupplier"), 3, $user->rights->societe->creer && ($user->rights->fournisseur->lire));
 			}
 
 			// Categories
diff --git a/htdocs/fourn/card.php b/htdocs/fourn/card.php
index 85ab93d17ec..728710b97ba 100644
--- a/htdocs/fourn/card.php
+++ b/htdocs/fourn/card.php
@@ -65,6 +65,15 @@ $extrafields->fetch_name_optionals_label($object->table_element);
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('suppliercard', 'globalcard'));
 
+// Security check
+$result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', 0);
+
+if ($object->id > 0) {
+	if (!($object->fournisseur > 0) || empty($user->rights->fournisseur->lire)) {
+		accessforbidden();
+	}
+}
+
 
 /*
  * Action
diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php
index 1edd5492a81..7d7dcbe86c3 100644
--- a/htdocs/societe/card.php
+++ b/htdocs/societe/card.php
@@ -97,6 +97,16 @@ if (!empty($canvas))
 // Security check
 $result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', 0);
 
+/*
+if ($object->id > 0) {
+	if ($object->client == 0 && $object->fournisseur > 0) {
+		if (!empty($user->rights->fournisseur->lire)) {
+			accessforbidden();
+		}
+	}
+}
+*/
+
 $permissiontoread = $user->rights->societe->lire;
 $permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php
 $permissiontodelete = $user->rights->societe->delete || ($permissiontoadd && isset($object->status) && $object->status == 0);