diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 1bca14827e6..964e368c4e3 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -2119,6 +2119,9 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 		if (empty($conf->multicompany->enabled)) $entity=1;
 		else $entity=0;
 	}
+	// Fix modulepart
+	if ($modulepart == 'users') $modulepart='user';
+
 	dol_syslog('modulepart='.$modulepart.' original_file='.$original_file.' entity='.$entity);
 	// We define $accessallowed and $sqlprotectagainstexternals
 	$accessallowed=0;
diff --git a/htdocs/document.php b/htdocs/document.php
index 07cc7cea77b..dd7ca2cb79c 100644
--- a/htdocs/document.php
+++ b/htdocs/document.php
@@ -38,7 +38,7 @@ if (! defined('NOREQUIREHTML'))		define('NOREQUIREHTML','1');
 if (! defined('NOREQUIREAJAX'))		define('NOREQUIREAJAX','1');
 
 // For direct external download link, we don't need to load/check we are into a login session
-if (isset($_GET["hashp"]))
+if (isset($_GET["hashp"]) && ! defined("NOLOGIN"))
 {
 	if (! defined("NOLOGIN"))		define("NOLOGIN",1);
 	if (! defined("NOCSRFCHECK"))	define("NOCSRFCHECK",1);	// We accept to go on this page from external web site.
@@ -122,8 +122,14 @@ if (! empty($hashp))
 	if ($result > 0)
 	{
 		$tmp = explode('/', $ecmfile->filepath, 2);		// $ecmfile->filepath is relative to document directory
-		$moduleparttocheck = $tmp[0];
-		if ($modulepart)	// Not required for link using public hashp
+		// filepath can be 'users/X' or 'X/propale/PR11111'
+		if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
+		{
+			$tmp = explode('/', $tmp[1], 2);
+		}
+		$moduleparttocheck = $tmp[0];	// moduleparttocheck is first part of path
+
+		if ($modulepart)	// Not required, so often not defined, for link using public hashp parameter.
 		{
 			if ($moduleparttocheck == $modulepart)
 			{
diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php
index 200230e5ca7..ea29fe0d8bd 100644
--- a/htdocs/viewimage.php
+++ b/htdocs/viewimage.php
@@ -131,8 +131,14 @@ if (! empty($hashp))
 	if ($result > 0)
 	{
 		$tmp = explode('/', $ecmfile->filepath, 2);		// $ecmfile->filepath is relative to document directory
-		$moduleparttocheck = $tmp[0];
-		if ($modulepart)	// Not required for link using public hashp
+		// filepath can be 'users/X' or 'X/propale/PR11111'
+		if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part.
+		{
+			$tmp = explode('/', $tmp[1], 2);
+		}
+		$moduleparttocheck = $tmp[0];	// moduleparttocheck is first part of path
+
+		if ($modulepart)	// Not required, so often not defined, for link using public hashp parameter.
 		{
 			if ($moduleparttocheck == $modulepart)
 			{