diff --git a/htdocs/comm/action/rapport/index.php b/htdocs/comm/action/rapport/index.php
index 5bf0b91974b..77e917996a0 100644
--- a/htdocs/comm/action/rapport/index.php
+++ b/htdocs/comm/action/rapport/index.php
@@ -66,7 +66,7 @@ if (!$user->hasRight("agenda", "allactions", "read")) {
  * Actions
  */
 
-if ($action == 'builddoc') {
+if ($action == 'builddoc' && $user->hasRight("agenda", "allactions", "read")) {
 	require_once DOL_DOCUMENT_ROOT.'/core/modules/action/doc/pdf_standard_actions.class.php';
 
 	$cat = new pdf_standard_actions($db, $month, $year);
diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php
index 5462627a1c1..5d3644cbd9a 100644
--- a/htdocs/comm/card.php
+++ b/htdocs/comm/card.php
@@ -160,7 +160,7 @@ if (empty($reshook)) {
 	}
 
 	// Set accountancy code
-	if ($action == 'setcustomeraccountancycode') {
+	if ($action == 'setcustomeraccountancycode' && $user->hasRight('societe', 'creer')) {
 		$result = $object->fetch($id);
 		$object->code_compta_client = GETPOST("customeraccountancycode");
 		$object->code_compta = $object->code_compta_client; // For Backward compatibility
@@ -237,7 +237,7 @@ if (empty($reshook)) {
 	}
 
 	// set communication status
-	if ($action == 'setstcomm') {
+	if ($action == 'setstcomm' && $user->hasRight('societe', 'creer')) {
 		$object->fetch($id);
 		$object->stcomm_id = dol_getIdFromCode($db, GETPOST('stcomm', 'alpha'), 'c_stcomm');
 		$result = $object->update($object->id, $user);
@@ -249,7 +249,7 @@ if (empty($reshook)) {
 	}
 
 	// update outstandng limit
-	if ($action == 'setoutstanding_limit') {
+	if ($action == 'setoutstanding_limit' && $user->hasRight('societe', 'creer')) {
 		$object->fetch($id);
 		$object->outstanding_limit = GETPOST('outstanding_limit');
 		$result = $object->update($object->id, $user);
@@ -259,7 +259,7 @@ if (empty($reshook)) {
 	}
 
 	// update order min amount
-	if ($action == 'setorder_min_amount') {
+	if ($action == 'setorder_min_amount' && $user->hasRight('societe', 'creer')) {
 		$object->fetch($id);
 		$object->order_min_amount = price2num(GETPOST('order_min_amount', 'alpha'));
 		$result = $object->update($object->id, $user);
diff --git a/htdocs/comm/mailing/advtargetemailing.php b/htdocs/comm/mailing/advtargetemailing.php
index e0098643747..bdfcc48f71a 100644
--- a/htdocs/comm/mailing/advtargetemailing.php
+++ b/htdocs/comm/mailing/advtargetemailing.php
@@ -101,12 +101,15 @@ if (!$user->hasRight('mailing', 'lire') || (!getDolGlobalString('EXTERNAL_USERS_
 }
 //$result = restrictedArea($user, 'mailing');
 
+$permissiontoread = $user->hasRight('mailing', 'lire');
+$permissiontoadd = $user->hasRight('mailing', 'creer');
+
 
 /*
  * Actions
  */
 
-if ($action == 'loadfilter') {
+if ($action == 'loadfilter' && $permissiontoread) {
 	if (!empty($template_id)) {
 		$result = $advTarget->fetch($template_id);
 		if ($result < 0) {
@@ -119,7 +122,7 @@ if ($action == 'loadfilter') {
 	}
 }
 
-if ($action == 'add') {
+if ($action == 'add' && $permissiontoadd) {
 	$user_contact_query = false;
 
 	$array_query = array();
@@ -255,7 +258,7 @@ if ($action == 'add') {
 	}
 }
 
-if ($action == 'clear') {
+if ($action == 'clear' && $permissiontoadd) {
 	// Load a new class instance
 	$classname = "MailingTargets";
 	$obj = new $classname($db);
@@ -265,11 +268,11 @@ if ($action == 'clear') {
 	exit();
 }
 
-if ($action == 'savefilter' || $action == 'createfilter') {
+if (($action == 'savefilter' || $action == 'createfilter') && $permissiontoadd) {
 	$template_name = GETPOST('template_name');
 	$error = 0;
 
-	if ($action == 'createfilter' && empty($template_name)) {
+	if ($action == 'createfilter' && empty($template_name) && $permissiontoadd) {
 		setEventMessages($langs->trans('ErrorFieldRequired', $langs->transnoentitiesnoconv('AdvTgtOrCreateNewFilter')), null, 'errors');
 		$error++;
 	}
@@ -353,13 +356,13 @@ if ($action == 'savefilter' || $action == 'createfilter') {
 		}
 		$advTarget->filtervalue = json_encode($array_query);
 
-		if ($action == 'createfilter') {
+		if ($action == 'createfilter') {		// Test on permission already done
 			$advTarget->name = $template_name;
 			$result = $advTarget->create($user);
 			if ($result < 0) {
 				setEventMessages($advTarget->error, $advTarget->errors, 'errors');
 			}
-		} elseif ($action == 'savefilter') {
+		} elseif ($action == 'savefilter') {	// Test on permission already done
 			$result = $advTarget->update($user);
 			if ($result < 0) {
 				setEventMessages($advTarget->error, $advTarget->errors, 'errors');
@@ -369,7 +372,7 @@ if ($action == 'savefilter' || $action == 'createfilter') {
 	}
 }
 
-if ($action == 'deletefilter') {
+if ($action == 'deletefilter' && $permissiontoadd) {
 	$result = $advTarget->delete($user);
 	if ($result < 0) {
 		setEventMessages($advTarget->error, $advTarget->errors, 'errors');
@@ -378,7 +381,7 @@ if ($action == 'deletefilter') {
 	exit();
 }
 
-if ($action == 'delete') {
+if ($action == 'delete' && $permissiontoadd) {
 	// Ici, rowid indique le destinataire et id le mailing
 	$sql = "DELETE FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE rowid = ".((int) $rowid);
 	$resql = $db->query($sql);
@@ -405,6 +408,7 @@ if (GETPOST("button_removefilter")) {
 	$search_email = '';
 }
 
+
 /*
  * View
  */
diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php
index c4778c4cd3d..c0f3cca7593 100644
--- a/htdocs/comm/mailing/card.php
+++ b/htdocs/comm/mailing/card.php
@@ -588,19 +588,19 @@ if (empty($reshook)) {
 	if (($action == 'settitle' || $action == 'setemail_from' || $action == 'setemail_replyto' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') && $permissiontovalidatesend) {
 		$upload_dir = $conf->mailing->dir_output."/".get_exdir($object->id, 2, 0, 1, $object, 'mailing');
 
-		if ($action == 'settitle') {
+		if ($action == 'settitle') {					// Test on permission already done
 			$object->title = trim(GETPOST('title', 'alpha'));
-		} elseif ($action == 'setemail_from') {
+		} elseif ($action == 'setemail_from') {			// Test on permission already done
 			$object->email_from = trim(GETPOST('email_from', 'alphawithlgt')); // Must allow 'name <email>'
-		} elseif ($action == 'setemail_replyto') {
+		} elseif ($action == 'setemail_replyto') {		// Test on permission already done
 			$object->email_replyto = trim(GETPOST('email_replyto', 'alphawithlgt')); // Must allow 'name <email>'
-		} elseif ($action == 'setemail_errorsto') {
+		} elseif ($action == 'setemail_errorsto') {		// Test on permission already done
 			$object->email_errorsto = trim(GETPOST('email_errorsto', 'alphawithlgt')); // Must allow 'name <email>'
-		} elseif ($action == 'settitle' && empty($object->title)) {
+		} elseif ($action == 'settitle' && empty($object->title)) {		// Test on permission already done
 			$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle"));
-		} elseif ($action == 'setfrom' && empty($object->email_from)) {
+		} elseif ($action == 'setfrom' && empty($object->email_from)) {	// Test on permission already done
 			$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailFrom"));
-		} elseif ($action == 'setevenunsubscribe') {
+		} elseif ($action == 'setevenunsubscribe') {	// Test on permission already done
 			$object->evenunsubscribe = (GETPOST('evenunsubscribe') ? 1 : 0);
 		}
 
@@ -771,7 +771,7 @@ llxHeader(
 );
 
 
-if ($action == 'create') {
+if ($action == 'create') {	// aaa
 	// EMailing in creation mode
 	print '<form name="new_mailing" action="'.$_SERVER['PHP_SELF'].'" method="POST">'."\n";
 	print '<input type="hidden" name="token" value="'.newToken().'">';
@@ -908,9 +908,7 @@ if ($action == 'create') {
 		if ($action != 'edit' && $action != 'edittxt' && $action != 'edithtml') {
 			print dol_get_fiche_head($head, 'card', $langs->trans("Mailing"), -1, 'email');
 
-			/*
-			 * View mode mailing
-			 */
+			// View mode mailing
 			if ($action == 'sendall') {
 				// Define message to recommend from command line
 				$sendingmode = getDolGlobalString('EMAILING_MAIL_SENDMODE');
diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php
index e2eab3e3e2a..6de83d0c79c 100644
--- a/htdocs/comm/mailing/cibles.php
+++ b/htdocs/comm/mailing/cibles.php
@@ -231,22 +231,22 @@ if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter.x'
 }
 
 // Action update description of emailing
-if ($action == 'settitle' || $action == 'setemail_from' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') {
+if (($action == 'settitle' || $action == 'setemail_from' || $action == 'setreplyto' || $action == 'setemail_errorsto' || $action == 'setevenunsubscribe') && $permissiontocreate) {
 	$upload_dir = $conf->mailing->dir_output."/".get_exdir($object->id, 2, 0, 1, $object, 'mailing');
 
-	if ($action == 'settitle') {
+	if ($action == 'settitle') {					// Test on permission already done
 		$object->title = trim(GETPOST('title', 'alpha'));
-	} elseif ($action == 'setemail_from') {
+	} elseif ($action == 'setemail_from') {			// Test on permission already done
 		$object->email_from = trim(GETPOST('email_from', 'alphawithlgt')); // Must allow 'name <email>'
-	} elseif ($action == 'setemail_replyto') {
+	} elseif ($action == 'setemail_replyto') {		// Test on permission already done
 		$object->email_replyto = trim(GETPOST('email_replyto', 'alphawithlgt')); // Must allow 'name <email>'
-	} elseif ($action == 'setemail_errorsto') {
+	} elseif ($action == 'setemail_errorsto') {		// Test on permission already done
 		$object->email_errorsto = trim(GETPOST('email_errorsto', 'alphawithlgt')); // Must allow 'name <email>'
-	} elseif ($action == 'settitle' && empty($object->title)) {
+	} elseif ($action == 'settitle' && empty($object->title)) {		// Test on permission already done
 		$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle"));
-	} elseif ($action == 'setfrom' && empty($object->email_from)) {
+	} elseif ($action == 'setfrom' && empty($object->email_from)) {	// Test on permission already done
 		$mesg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailFrom"));
-	} elseif ($action == 'setevenunsubscribe') {
+	} elseif ($action == 'setevenunsubscribe') {	// Test on permission already done
 		$object->evenunsubscribe = (GETPOST('evenunsubscribe') ? 1 : 0);
 	}
 
diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php
index a096ea9f20e..202a9a6e612 100644
--- a/htdocs/comm/propal/card.php
+++ b/htdocs/comm/propal/card.php
@@ -838,10 +838,7 @@ if (empty($reshook)) {
 				$db->rollback();
 			}
 		}
-	} elseif ($action == 'import_lines_from_object'
-		&& $user->hasRight('propal', 'creer')
-		&& $object->statut == Propal::STATUS_DRAFT
-	) {
+	} elseif ($action == 'import_lines_from_object' && $usercancreate && $object->statut == Propal::STATUS_DRAFT) {
 		// add lines from objectlinked
 		$fromElement = GETPOST('fromelement');
 		$fromElementid = GETPOST('fromelementid');
@@ -1713,8 +1710,8 @@ if (empty($reshook)) {
 		}
 	}
 
-	if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $usercancreate) {
-		if ($action == 'addcontact') {
+	if (getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB')) {
+		if ($action == 'addcontact' && $usercancreate) {
 			if ($object->id > 0) {
 				$contactid = (GETPOST('userid') ? GETPOST('userid') : GETPOST('contactid'));
 				$typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type'));
@@ -1732,14 +1729,14 @@ if (empty($reshook)) {
 					setEventMessages($object->error, $object->errors, 'errors');
 				}
 			}
-		} elseif ($action == 'swapstatut') {
+		} elseif ($action == 'swapstatut' && $usercancreate) {
 			// Toggle the status of a contact
 			if ($object->fetch($id) > 0) {
 				$result = $object->swapContactStatus(GETPOSTINT('ligne'));
 			} else {
 				dol_print_error($db);
 			}
-		} elseif ($action == 'deletecontact') {
+		} elseif ($action == 'deletecontact' && $usercancreate) {
 			// Delete a contact
 			$object->fetch($id);
 			$result = $object->delete_contact($lineid);
diff --git a/htdocs/comm/remise.php b/htdocs/comm/remise.php
index f02f67465f2..a3ef0f8d38f 100644
--- a/htdocs/comm/remise.php
+++ b/htdocs/comm/remise.php
@@ -62,7 +62,7 @@ if ($cancel) {
 	}
 }
 
-if ($action == 'setremise') {
+if ($action == 'setremise' && $user->hasRight('societe', 'lire')) {
 	$object = new Societe($db);
 	$object->fetch($id);
 
diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php
index 2345f9bcb0b..2ad3869639b 100644
--- a/htdocs/commande/card.php
+++ b/htdocs/commande/card.php
@@ -1627,7 +1627,7 @@ if (empty($reshook)) {
 
 
 	if (!$error && getDolGlobalString('MAIN_DISABLE_CONTACTS_TAB') && $usercancreate) {
-		if ($action == 'addcontact') {
+		if ($action == 'addcontact' && $usercancreate) {
 			if ($object->id > 0) {
 				$contactid = (GETPOST('userid') ? GETPOST('userid') : GETPOST('contactid'));
 				$typeid = (GETPOST('typecontact') ? GETPOST('typecontact') : GETPOST('type'));
@@ -1645,14 +1645,14 @@ if (empty($reshook)) {
 					setEventMessages($object->error, $object->errors, 'errors');
 				}
 			}
-		} elseif ($action == 'swapstatut') {
+		} elseif ($action == 'swapstatut' && $usercancreate) {
 			// bascule du statut d'un contact
 			if ($object->id > 0) {
 				$result = $object->swapContactStatus(GETPOSTINT('ligne'));
 			} else {
 				dol_print_error($db);
 			}
-		} elseif ($action == 'deletecontact') {
+		} elseif ($action == 'deletecontact' && $usercancreate) {
 			// Efface un contact
 			$result = $object->delete_contact($lineid);
 
diff --git a/htdocs/compta/bank/card.php b/htdocs/compta/bank/card.php
index 15213628368..3c5b4534a11 100644
--- a/htdocs/compta/bank/card.php
+++ b/htdocs/compta/bank/card.php
@@ -118,7 +118,7 @@ if (empty($reshook)) {
 		$action = '';
 	}
 
-	if ($action == 'add') {
+	if ($action == 'add' && $user->hasRight('banque', 'configurer')) {
 		$error = 0;
 
 		$db->begin();
@@ -237,7 +237,7 @@ if (empty($reshook)) {
 		}
 	}
 
-	if ($action == 'update') {
+	if ($action == 'update' && $user->hasRight('banque', 'configurer')) {
 		$error = 0;
 
 		// Update account
diff --git a/htdocs/compta/bank/categ.php b/htdocs/compta/bank/categ.php
index 816b26b3ea4..828d9ed1696 100644
--- a/htdocs/compta/bank/categ.php
+++ b/htdocs/compta/bank/categ.php
@@ -77,7 +77,7 @@ if ($categid) {
 			$bankcateg->update($user);
 		}
 		//Delete category
-		if ($action == 'delete') {
+		if ($action == 'delete' && $user->hasRight('banque', 'configurer')) {
 			$bankcateg->delete($user);
 		}
 	}
diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php
index 39c40a40816..6968c2bf084 100644
--- a/htdocs/variants/combinations.php
+++ b/htdocs/variants/combinations.php
@@ -109,11 +109,11 @@ if (!$object->isProduct() && !$object->isService()) {
 	header('Location: '.dol_buildpath('/product/card.php?id='.$object->id, 2));
 	exit();
 }
-if ($action == 'add') {
+if ($action == 'add') {		// Test on permission not required
 	unset($selectedvariant);
 	unset($_SESSION['addvariant_'.$object->id]);
 }
-if ($action == 'create' && GETPOST('selectvariant', 'alpha')) {	// We click on select combination
+if ($action == 'create' && GETPOST('selectvariant', 'alpha') && $usercancreate) {	// We click on select combination
 	$action = 'add';
 	$attribute_id = GETPOSTINT('attribute');
 	$attribute_value_id = GETPOSTINT('value');
@@ -123,7 +123,7 @@ if ($action == 'create' && GETPOST('selectvariant', 'alpha')) {	// We click on s
 		$_SESSION['addvariant_'.$object->id] = $selectedvariant;
 	}
 }
-if ($action == 'create' && $subaction == 'delete') {	// We click on select combination
+if ($action == 'create' && $subaction == 'delete' && $usercancreate) {	// We click on select combination
 	$action = 'add';
 	$feature = GETPOST('feature', 'intcomma');
 	if (isset($selectedvariant[$feature])) {
@@ -138,12 +138,12 @@ $prodcomb2val = new ProductCombination2ValuePair($db);
 
 $productCombination2ValuePairs1 = array();
 
-if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST('selectvariant', 'alpha') && empty($subaction)) {	// We click on Create all defined combinations
+if (($action == 'add' || $action == 'create') && $usercancreate && empty($massaction) && !GETPOST('selectvariant', 'alpha') && empty($subaction)) {	// We click on Create all defined combinations
 	//$features = GETPOST('features', 'array');
 	$features = !empty($_SESSION['addvariant_'.$object->id]) ? $_SESSION['addvariant_'.$object->id] : array();
 
 	if (!$features) {
-		if ($action == 'create') {
+		if ($action == 'create') {	// Test on permission already done
 			setEventMessages($langs->trans('ErrorFieldsRequired'), null, 'errors');
 		}
 	} else {
@@ -270,7 +270,7 @@ if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST(
 		$db->commit();
 		setEventMessages($langs->trans('RecordSaved'), null, 'mesgs');
 	}
-} elseif ($action === 'update' && $combination_id > 0) {
+} elseif ($action === 'update' && $combination_id > 0 && $usercancreate) {
 	if ($prodcomb->fetch($combination_id) < 0) {
 		dol_print_error($db, $langs->trans('ErrorRecordNotFound'));
 		exit();
@@ -342,7 +342,7 @@ if (($action == 'add' || $action == 'create') && empty($massaction) && !GETPOST(
 // Reload variants
 $productCombinations = $prodcomb->fetchAllByFkProductParent($object->id, true);
 
-if ($action === 'confirm_deletecombination') {
+if ($action === 'confirm_deletecombination' && $usercancreate) {
 	if ($prodcomb->fetch($combination_id) > 0) {
 		$db->begin();
 
@@ -357,7 +357,7 @@ if ($action === 'confirm_deletecombination') {
 		setEventMessages($langs->trans('ProductCombinationAlreadyUsed'), null, 'errors');
 		$action = '';
 	}
-} elseif ($action === 'edit') {
+} elseif ($action === 'edit' && $usercancreate) {
 	if ($prodcomb->fetch($combination_id) < 0) {
 		dol_print_error($db, $langs->trans('ErrorRecordNotFound'));
 		exit();
@@ -371,7 +371,7 @@ if ($action === 'confirm_deletecombination') {
 	$price_impact_percent = $prodcomb->variation_price_percentage;
 
 	$productCombination2ValuePairs1 = $prodcomb2val->fetchByFkCombination($combination_id);
-} elseif ($action === 'confirm_copycombination') {
+} elseif ($action === 'confirm_copycombination' && $usercancreate) {
 	//Check destination product
 	$dest_product = GETPOST('dest_product');
 
diff --git a/htdocs/webservices/demo_wsclient_thirdparty.php-NORUN b/htdocs/webservices/demo_wsclient_thirdparty.php-NORUN
index 2650b696a75..f3822202b7e 100644
--- a/htdocs/webservices/demo_wsclient_thirdparty.php-NORUN
+++ b/htdocs/webservices/demo_wsclient_thirdparty.php-NORUN
@@ -61,7 +61,7 @@ $authentication=array(
 
 
 // Test URL
-if ($action=='get')
+if ($action == 'get')
 {
     $parameters = array('authentication'=>$authentication,'id'=>1,'name'=>'','ref_ext'=>'');
     dol_syslog("Call method ".$WS_METHOD_GETTHIRDSPARTY);
@@ -78,7 +78,7 @@ if ($action=='get')
 }
 
 // Test URL
-if ($action=='getList')
+if ($action == 'getList')
 {
     $filterthirdparty=array('category'=>'3');
     $parameters = array('authentication'=>$authentication,$filterthirdparty);
@@ -96,7 +96,7 @@ if ($action=='getList')
 }
 
 // Test URL
-if ($action=='create')
+if ($action == 'create')
 {
 	$newthirdparty=array(
 	'ref'=>'Test WS Create Client',
@@ -109,7 +109,7 @@ if ($action=='create')
 	'zip'=>'75000',
 	'town'=>'Paris',
 	'country_id'=>'1',//France
-	'customer_code'=>'-1',//Generate code regarding module configuration 
+	'customer_code'=>'-1',//Generate code regarding module configuration
 	'supplier_code'=>'0',
 	'phone'=>'0141414141',
 	'fax'=>'0121212121',
@@ -127,8 +127,8 @@ if ($action=='create')
 	//,'options_attr1'=>'Attr1 balbal', //Extra field example where field code is attr1
 	//'options_attr2'=>'Attr2 balbal' //Extra field example where field code is attr2
 	);
-	
-	
+
+
 	$parameters = array('authentication'=>$authentication,'thirdparty'=>$newthirdparty);
 	dol_syslog("Call method ".$WS_METHOD_CREATETHIRDSPARTY);
 	$result = $soapclient->call($WS_METHOD_CREATETHIRDSPARTY,$parameters,$ns,'');
@@ -144,7 +144,7 @@ if ($action=='create')
 }
 
 // Test URL
-if ($action=='update')
+if ($action == 'update')
 {
 	$thirdparty=array(
 	'id'=>'1',
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index ee84b8f0653..61966d21d0f 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -140,7 +140,7 @@ if (GETPOST('createpagefromclone', 'alpha')) {
 if (empty($action) && $file_manager) {
 	$action = 'file_manager';
 }
-if ($action == 'replacesite' || (empty($action) && $replacesite)) {
+if ($action == 'replacesite' || (empty($action) && $replacesite)) {		// Test on permission not required
 	$mode = 'replacesite';
 }
 if (GETPOST('refreshsite') || GETPOST('refreshsite_x') || GETPOST('refreshsite.x')) {
@@ -333,7 +333,7 @@ if (GETPOST('optionsitefiles')) {
 }
 
 if (empty($sortfield)) {
-	if ($action == 'file_manager') {
+	if ($action == 'file_manager') {	// Test on permission not required
 		$sortfield = 'name';
 		$sortorder = 'ASC';
 	} else {
@@ -344,7 +344,7 @@ if (empty($sortfield)) {
 
 $searchkey = GETPOST('searchstring', 'restricthtml');
 
-if ($action == 'replacesite' || $mode == 'replacesite') {
+if ($action == 'replacesite' || $mode == 'replacesite') {	// Test on permission not required
 	$containertype = GETPOST('optioncontainertype', 'aZ09') != '-1' ? GETPOST('optioncontainertype', 'aZ09') : '';
 	$langcode = GETPOST('optionlanguage', 'aZ09');
 	$otherfilters = array();
diff --git a/htdocs/website/websiteaccount_card.php b/htdocs/website/websiteaccount_card.php
index 399bbb983b5..fd0f8cdfd1d 100644
--- a/htdocs/website/websiteaccount_card.php
+++ b/htdocs/website/websiteaccount_card.php
@@ -143,7 +143,7 @@ if ($reshook < 0) {
 if (empty($reshook)) {
 	$backurlforlist = dol_buildpath('/societe/website.php', 1).'?id='.$object->fk_soc;
 
-	if ($action == 'add' && !GETPOST('site')) {
+	if ($action == 'add' && !GETPOST('site')) {		// Test on permission not required
 		setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Website")), null, 'errors');
 		$action = 'create';
 	}
diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php
index 747745a6b86..ba7a34ff395 100644
--- a/test/phpunit/CodingPhpTest.php
+++ b/test/phpunit/CodingPhpTest.php
@@ -636,7 +636,8 @@ class CodingPhpTest extends CommonClassTest
 			&& !preg_match('/\.tpl\.php/', $file['fullname'])
 			&& !preg_match('/\.lib\.php/', $file['fullname'])
 			&& !preg_match('/\.inc\.php/', $file['fullname'])
-			&& !preg_match('/\.class\.php/', $file['fullname'])) {
+			&& !preg_match('/\.class\.php/', $file['fullname'])
+			&& !preg_match('/NORUN$/', $file['fullname'])) {
 			$ok = true;
 			$matches = array();
 
@@ -654,7 +655,8 @@ class CodingPhpTest extends CommonClassTest
 					&& !preg_match('/\$permission/', $val[0])
 					&& !preg_match('/\$usercan/', $val[0])
 					&& !preg_match('/\$canedit/', $val[0])
-					&& !preg_match('/already done/', $val[0])) {
+					&& !preg_match('/already done/i', $val[0])
+					&& !preg_match('/not required/i', $val[0])) {
 					$ok = false;
 					print "Line: ".$val[0]."\n";
 					break;