diff --git a/htdocs/accountancy/index.php b/htdocs/accountancy/index.php
index 6e13a662948..1842c23f418 100644
--- a/htdocs/accountancy/index.php
+++ b/htdocs/accountancy/index.php
@@ -49,7 +49,7 @@ if (empty($user->rights->accounting->mouvements->lire)) {
 if (empty($conf->comptabilite->enabled) && empty($conf->accounting->enabled) && empty($conf->asset->enabled) && empty($conf->intracommreport->enabled)) {
 	accessforbidden();
 }
-if (empty($user->rights->compta->resultat->lire) && empty($user->rights->accounting->mouvements->lire) && empty($user->rights->asset->read) && empty($user->rights->intracommreport->read)) {
+if (empty($user->rights->compta->resultat->lire) && empty($user->rights->accounting->comptarapport->lire) && empty($user->rights->accounting->mouvements->lire) && empty($user->rights->asset->read) && empty($user->rights->intracommreport->read)) {
 	accessforbidden();
 }
 
diff --git a/htdocs/admin/agenda_reminder.php b/htdocs/admin/agenda_reminder.php
index b3a85d1fe4b..2b2da673202 100644
--- a/htdocs/admin/agenda_reminder.php
+++ b/htdocs/admin/agenda_reminder.php
@@ -226,6 +226,7 @@ if (empty($conf->cron->enabled)) {
 		// Get the max frequency of reminder
 		if ($job->id > 0) {
 			if ($job->status != $job::STATUS_ENABLED) {
+				$langs->load("cron");
 				print '<span class="opacitymedium warning">'.$langs->trans("JobXMustBeEnabled", $langs->transnoentitiesnoconv("sendEmailsReminder")).'</span>';
 			} else {
 				print '<a href="'.$_SERVER['PHP_SELF'].'?action=del_AGENDA_REMINDER_EMAIL&amp;token='.newToken().'">'.img_picto($langs->trans('Enabled'), 'switch_on').'</a>';
diff --git a/htdocs/admin/system/database-tables.php b/htdocs/admin/system/database-tables.php
index 7535500e799..3d31c516858 100644
--- a/htdocs/admin/system/database-tables.php
+++ b/htdocs/admin/system/database-tables.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2003		Rodolphe Quiedeville	<rodolphe@quiedeville.org>
- * Copyright (C) 2004-2005	Laurent Destailleur		<eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2021	Laurent Destailleur		<eldy@users.sourceforge.net>
  * Copyright (C) 2004		Sebastien Di Cintio		<sdicintio@ressource-toi.org>
  * Copyright (C) 2004		Benoit Mortier			<benoit.mortier@opensides.be>
  * Copyright (C) 2005-2012	Regis Houssin			<regis.houssin@inodbox.com>
@@ -21,9 +21,13 @@
 
 /**
  *	\file       htdocs/admin/system/database-tables.php
- *	\brief      Page with information on database tables
+ *	\brief      Page with information on database tables. Add also some maintenance action to convert tables.
  */
 
+if (! defined('CSRFCHECK_WITH_TOKEN')) {
+	define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
+}
+
 require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
@@ -126,14 +130,14 @@ if (!$base) {
 				print '</td>';
 				print '<td>'.$obj->Engine.'</td>';
 				if (isset($obj->Engine) && $obj->Engine == "MyISAM") {
-					print '<td><a class="reposition" href="database-tables.php?action=convert&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' InnoDb</a></td>';
+					print '<td><a class="reposition" href="database-tables.php?action=convert&table='.urlencode($obj->Name).'&token='.newToken().'">'.$langs->trans("Convert").' InnoDb</a></td>';
 				} else {
 					print '<td>&nbsp;</td>';
 				}
 				print '<td>';
 				print $obj->Row_format;
 				if (isset($obj->Row_format) && (in_array($obj->Row_format, array("Compact")))) {
-					print '<br><a class="reposition" href="database-tables.php?action=convertdynamic&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' Dynamic</a>';
+					print '<br><a class="reposition" href="database-tables.php?action=convertdynamic&table='.urlencode($obj->Name).'&token='.newToken().'">'.$langs->trans("Convert").' Dynamic</a>';
 				}
 				print '</td>';
 				print '<td align="right">'.$obj->Rows.'</td>';
@@ -145,7 +149,7 @@ if (!$base) {
 				print '<td align="right">'.$obj->Check_time.'</td>';
 				print '<td align="right">'.$obj->Collation;
 				if (isset($obj->Collation) && (in_array($obj->Collation, array("utf8mb4_general_ci", "utf8mb4_unicode_ci", "latin1_swedish_ci")))) {
-					print '<br><a class="reposition" href="database-tables.php?action=convertutf8&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' UTF8</a>';
+					print '<br><a class="reposition" href="database-tables.php?action=convertutf8&table='.urlencode($obj->Name).'&token='.newtoken().'">'.$langs->trans("Convert").' UTF8</a>';
 				}
 				print '</td>';
 				print '</tr>';
diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php
index 79690032901..f2df395060b 100644
--- a/htdocs/admin/system/security.php
+++ b/htdocs/admin/system/security.php
@@ -88,10 +88,14 @@ if (function_exists('exec')) {
 }
 print '<br>';
 
-print "<strong>PHP safe_mode</strong> = ".(ini_get('safe_mode') ? ini_get('safe_mode') : yn(0)).' &nbsp; <span class="opacitymedium">'.$langs->trans("Deprecated")." (removed in PHP 5.4)</span><br>\n";
+print "<strong>PHP session.use_strict_mode</strong> = ".(ini_get('session.use_strict_mode') ? ini_get('session.use_strict_mode') : yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", '1').")</span><br>\n";
+print "<strong>PHP session.use_only_cookies</strong> = ".(ini_get('session.use_only_cookies') ? ini_get('session.use_only_cookies') : yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", '1').")</span><br>\n";
+print "<strong>PHP session.cookie_httponly</strong> = ".(ini_get('session.cookie_httponly') ? ini_get('session.cookie_httponly') : '').' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", '1').")</span><br>\n";
+print "<strong>PHP session.cookie_samesite</strong> = ".(ini_get('session.cookie_samesite') ? ini_get('session.cookie_samesite') : 'None').' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", 'Strict').")</span><br>\n";
 print "<strong>PHP open_basedir</strong> = ".(ini_get('open_basedir') ? ini_get('open_basedir') : yn(0).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("ARestrictedPath").', '.$langs->transnoentitiesnoconv("Example").' '.$_SERVER["DOCUMENT_ROOT"]).')</span>')."<br>\n";
 print "<strong>PHP allow_url_fopen</strong> = ".(ini_get('allow_url_fopen') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_fopen') : yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")</span><br>\n";
 print "<strong>PHP allow_url_include</strong> = ".(ini_get('allow_url_include') ? img_picto($langs->trans("YouShouldSetThisToOff"), 'warning').' '.ini_get('allow_url_include') : yn(0)).' &nbsp; <span class="opacitymedium">('.$langs->trans("RecommendedValueIs", $langs->transnoentitiesnoconv("No")).")</span><br>\n";
+//print "<strong>PHP safe_mode</strong> = ".(ini_get('safe_mode') ? ini_get('safe_mode') : yn(0)).' &nbsp; <span class="opacitymedium">'.$langs->trans("Deprecated")." (removed in PHP 5.4)</span><br>\n";
 print "<strong>PHP disable_functions</strong> = ";
 $arrayoffunctionsdisabled = explode(',', ini_get('disable_functions'));
 $arrayoffunctionstodisable = explode(',', 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals');
@@ -245,7 +249,7 @@ if (empty($dolibarr_main_prod)) {
 }
 print '<br>';
 
-print '<strong>$dolibarr_nocsrfcheck</strong>: '.$dolibarr_nocsrfcheck;
+print '<strong>$dolibarr_nocsrfcheck</strong>: '.(empty($dolibarr_nocsrfcheck) ? '0' : $dolibarr_nocsrfcheck);
 if (!empty($dolibarr_nocsrfcheck)) {
 	print ' &nbsp; '.img_picto('', 'warning').' '.$langs->trans("IfYouAreOnAProductionSetThis", 0);
 }
@@ -346,7 +350,7 @@ if (empty($conf->global->MAIN_SECURITY_HASH_ALGO)) {
 if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') {
 	print '<br><strong>MAIN_SECURITY_SALT</strong> = '.(empty($conf->global->MAIN_SECURITY_SALT) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->MAIN_SECURITY_SALT).'<br>';
 } else {
-	print '<span class="opacitymedium">('.$langs->trans("Recommanded").': password_hash)</span>';
+	print '<span class="opacitymedium">('.$langs->trans("Recommended").': password_hash)</span>';
 	print '<br>';
 }
 if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') {
@@ -359,16 +363,19 @@ if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') {
 }
 print '<br>';
 
-print '<strong>MAIN_SECURITY_ANTI_SSRF_SERVER_IP</strong> = '.(empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span> &nbsp; <span class="opacitymedium">('.$langs->trans("Example").': static-ips-of-server - '.$langs->trans("Note").': common loopback ip like 127.*.*.*, [::1] are already added)</span>' : $conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP)."<br>";
+print '<strong>MAIN_SECURITY_ANTI_SSRF_SERVER_IP</strong> = '.(empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span> &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': List of static IPs of server separated with coma - '.$langs->trans("Note").': common loopback ip like 127.*.*.*, [::1] are already added)</span>' : $conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP)."<br>";
 print '<br>';
 
-print '<strong>MAIN_ALLOW_SVG_FILES_AS_IMAGES</strong> = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0 &nbsp; <span class="opacitymedium">('.$langs->trans("Recommanded").': 0)</span>' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)."<br>";
+print '<strong>MAIN_ALLOW_SVG_FILES_AS_IMAGES</strong> = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES).' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': 0)</span><br>';
 print '<br>';
 
-print '<strong>MAIN_RESTRICTHTML_ONLY_VALID_HTML</strong> = '.(empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) ? '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommanded").': 1)</span>' : $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)."<br>";
+print '<strong>MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE</strong> = '.(empty($conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE) ? '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>' : $conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE).' &nbsp; <span class="opacitymedium">('.$langs->trans("Recommended").': 1)</span><br>';
 print '<br>';
 
-print '<strong>MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES</strong> = '.(empty($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES) ? '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommanded").': 1)</span>' : $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES)."<br>";
+print '<strong>MAIN_RESTRICTHTML_ONLY_VALID_HTML</strong> = '.(empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) ? '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 1)</span>' : $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)."<br>";
+print '<br>';
+
+print '<strong>MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES</strong> = '.(empty($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES) ? '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 1)</span>' : $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES)."<br>";
 print '<br>';
 
 print '<strong>MAIN_EXEC_USE_POPEN</strong> = ';
@@ -378,10 +385,14 @@ if (empty($conf->global->MAIN_EXEC_USE_POPEN)) {
 	print $conf->global->MAIN_EXEC_USE_POPEN;
 }
 if ($execmethod == 1) {
-	print ' &nbsp; <span class="opacitymedium">("exec" PHP method will be used for shell commands)</span>';
+	print '<span class="opacitymedium">, "exec" PHP method will be used for shell commands';
+	print ' &nbsp; ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 1)';
+	print '</span>';
 }
 if ($execmethod == 2) {
-	print ' &nbsp; <span class="opacitymedium">("popen" PHP method will be used for shell commands)</span>';
+	print '<span class="opacitymedium">, "popen" PHP method will be used for shell commands';
+	print ' &nbsp; ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 1)';
+	print '</span>';
 }
 print "<br>";
 print '<br>';
diff --git a/htdocs/admin/tools/dolibarr_export.php b/htdocs/admin/tools/dolibarr_export.php
index 428c80676a2..4f6977ffb41 100644
--- a/htdocs/admin/tools/dolibarr_export.php
+++ b/htdocs/admin/tools/dolibarr_export.php
@@ -136,7 +136,7 @@ $title = $langs->trans("Backup");
 print load_fiche_titre($title, '', 'title_setup');
 //print_barre_liste($langs->trans("Backup"), '', '', '', '', '', $langs->trans("BackupDesc",DOL_DATA_ROOT), 0, 0, 'title_setup');
 
-print '<div class="center opacitymedium">';
+print '<div class="center">';
 print $langs->trans("BackupDesc", DOL_DATA_ROOT);
 print '</div>';
 print '<br>';
@@ -147,8 +147,11 @@ print '<input type="hidden" name="token" value="'.newToken().'" />';
 print '<input type="hidden" name="export_type" value="server" />';
 print '<fieldset id="fieldsetexport"><legend class="legendforfieldsetstep" style="font-size: 3em">1</legend>';
 
+print '<span class="opacitymedium">';
 print $langs->trans("BackupDesc3", $dolibarr_main_db_name).'<br>';
 //print $langs->trans("BackupDescY").'<br>';
+print '</span>';
+
 print '<br>';
 
 print '<div id="backupdatabaseleft" class="fichehalfleft" >';
@@ -157,7 +160,7 @@ $title = $langs->trans("BackupDumpWizard");
 
 print load_fiche_titre($title);
 
-print '<table width="100%" class="'.(!empty($useinecm) ? 'nobordernopadding' : 'liste').' nohover">';
+print '<table class="'.(!empty($useinecm) ? 'nobordernopadding' : 'liste noborderbottom').' nohover centpercent">';
 print '<tr class="liste_titre">';
 print '<td class="liste_titre">';
 print $langs->trans("DatabaseName").' : <b>'.$dolibarr_main_db_name.'</b><br>';
@@ -554,8 +557,10 @@ print '<input type="hidden" name="page_y" value="" />';
 
 print '<fieldset><legend class="legendforfieldsetstep" style="font-size: 3em">2</legend>';
 
+print '<span class="opacitymedium">';
 print $langs->trans("BackupDesc2", DOL_DATA_ROOT).'<br>';
 print $langs->trans("BackupDescX").'<br><br>';
+print '</span>';
 
 print '<div id="backupfilesleft" class="fichehalfleft">';
 
diff --git a/htdocs/admin/tools/dolibarr_import.php b/htdocs/admin/tools/dolibarr_import.php
index 1fc0ca49221..29bfe5c12a4 100644
--- a/htdocs/admin/tools/dolibarr_import.php
+++ b/htdocs/admin/tools/dolibarr_import.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2006-2012	Laurent Destailleur	<eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2021	Laurent Destailleur	<eldy@users.sourceforge.net>
  * Copyright (C) 2006-2012	Regis Houssin		<regis.houssin@inodbox.com>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -22,6 +22,10 @@
  * 		\brief      Page to import database
  */
 
+if (! defined('CSRFCHECK_WITH_TOKEN')) {
+	define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
+}
+
 require '../../main.inc.php';
 
 // Load translation files required by the page
@@ -72,7 +76,7 @@ jQuery(document).ready(function() {
 
 print load_fiche_titre($langs->trans("Restore"), '', 'title_setup');
 
-print '<div class="center opacitymedium">';
+print '<div class="center">';
 print $langs->trans("RestoreDesc", DOL_DATA_ROOT);
 print '</div>';
 print '<br>';
@@ -81,7 +85,9 @@ print '<br>';
 <fieldset>
 <legend style="font-size: 3em">1</legend>
 <?php
+print '<span class="opacitymedium">';
 print $langs->trans("RestoreDesc2", DOL_DATA_ROOT).'<br><br>';
+print '</span>';
 ?>
 </fieldset>
 
@@ -90,7 +96,9 @@ print $langs->trans("RestoreDesc2", DOL_DATA_ROOT).'<br><br>';
 <fieldset>
 <legend style="font-size: 3em">2</legend>
 <?php
+print '<span class="opacitymedium">';
 print $langs->trans("RestoreDesc3", $dolibarr_main_db_name).'<br><br>';
+print '</span>';
 ?>
 
 <?php print $langs->trans("DatabaseName").' : <b>'.$dolibarr_main_db_name.'</b>'; ?><br><br>
diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php
index 34685676320..384b08e19cf 100644
--- a/htdocs/admin/tools/export_files.php
+++ b/htdocs/admin/tools/export_files.php
@@ -22,6 +22,10 @@
  *		\brief      Page to export documents into a compressed file
  */
 
+if (! defined('CSRFCHECK_WITH_TOKEN')) {
+	define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
+}
+
 require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
diff --git a/htdocs/admin/tools/listsessions.php b/htdocs/admin/tools/listsessions.php
index 61d2b1cea58..10a38fb59a1 100644
--- a/htdocs/admin/tools/listsessions.php
+++ b/htdocs/admin/tools/listsessions.php
@@ -22,9 +22,14 @@
  *      \brief      List of PHP sessions
  */
 
+if (! defined('CSRFCHECK_WITH_TOKEN')) {
+	define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
+}
+
 require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 
+
 // Load translation files required by the page
 $langs->loadLangs(array("companies", "install", "users", "other"));
 
@@ -185,14 +190,14 @@ print '<div class="tabsAction">';
 
 
 if (empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) {
-	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=lock">'.$langs->trans("LockNewSessions").'</a>';
+	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=lock&token='.newToken().'">'.$langs->trans("LockNewSessions").'</a>';
 } else {
-	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=confirm_unlock">'.$langs->trans("UnlockNewSessions").'</a>';
+	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?action=confirm_unlock&token='.newToken().'">'.$langs->trans("UnlockNewSessions").'</a>';
 }
 
 if ($savehandler == 'files') {
 	if (count($listofsessions)) {
-		print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=purge">'.$langs->trans("PurgeSessions").'</a>';
+		print '<a class="butActionDelete" href="'.$_SERVER["PHP_SELF"].'?action=purge&token='.newToken().'">'.$langs->trans("PurgeSessions").'</a>';
 	}
 }
 
diff --git a/htdocs/admin/tools/purge.php b/htdocs/admin/tools/purge.php
index e20b9c2b13a..09647549c8b 100644
--- a/htdocs/admin/tools/purge.php
+++ b/htdocs/admin/tools/purge.php
@@ -21,15 +21,15 @@
  *		\brief      Page to purge files (temporary or not)
  */
 
+if (! defined('CSRFCHECK_WITH_TOKEN')) {
+	define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
+}
+
 require '../../main.inc.php';
 include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
 
 $langs->load("admin");
 
-if (!$user->admin) {
-	accessforbidden();
-}
-
 $action = GETPOST('action', 'aZ09');
 $confirm = GETPOST('confirm', 'alpha');
 $choice = GETPOST('choice', 'aZ09');
@@ -42,10 +42,15 @@ if (!empty($conf->syslog->enabled)) {
 	$filelog = preg_replace('/DOL_DATA_ROOT/i', DOL_DATA_ROOT, $filelog);
 }
 
+if (!$user->admin) {
+	accessforbidden();
+}
+
 
 /*
  *	Actions
  */
+
 if ($action == 'purge' && !preg_match('/^confirm/i', $choice) && ($choice != 'allfiles' || $confirm == 'yes')) {
 	// Increase limit of time. Works only if we are not in safe mode
 	$ExecTimeLimit = 600;
diff --git a/htdocs/admin/tools/update.php b/htdocs/admin/tools/update.php
index 5a6ff94ce57..821bcd9e3f3 100644
--- a/htdocs/admin/tools/update.php
+++ b/htdocs/admin/tools/update.php
@@ -22,6 +22,10 @@
  *		\brief      Page to make a Dolibarr online upgrade
  */
 
+if (! defined('CSRFCHECK_WITH_TOKEN')) {
+	define('CSRFCHECK_WITH_TOKEN', '1');		// Force use of CSRF protection with tokens even for GET
+}
+
 require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
@@ -100,7 +104,7 @@ if (function_exists('curl_init')) {
 			print $langs->trans("LastStableVersion").' : <b>'.$langs->trans("UpdateServerOffline").'</b><br>';
 		}
 	} else {
-		print $langs->trans("LastStableVersion").' : <a href="'.$_SERVER["PHP_SELF"].'?action=getlastversion" class="button">'.$langs->trans("Check").'</a><br>';
+		print $langs->trans("LastStableVersion").' : <a href="'.$_SERVER["PHP_SELF"].'?action=getlastversion&token='.newToken().'" class="button smallpaddingimp">'.$langs->trans("Check").'</a><br>';
 	}
 }
 
@@ -113,14 +117,14 @@ print '<hr>';
 print $langs->trans("ThisIsProcessToFollow").'<br>';
 print '<b>'.$langs->trans("StepNb", 1).'</b>: ';
 $fullurl = '<a href="'.$urldolibarr.'" target="_blank">'.$urldolibarr.'</a>';
-print $langs->trans("DownloadPackageFromWebSite", $fullurl).'<br>';
+print str_replace('{s}', $fullurl, $langs->trans("DownloadPackageFromWebSite", '{s}')).'<br>';
 print '<b>'.$langs->trans("StepNb", 2).'</b>: ';
-print $langs->trans("UnpackPackageInDolibarrRoot", $dolibarrroot).'<br>';
+print str_replace('{s}', $dolibarrroot, $langs->trans("UnpackPackageInDolibarrRoot", '{s}')).'<br>';
 print '<b>'.$langs->trans("StepNb", 3).'</b>: ';
 print $langs->trans("RemoveLock", $dolibarrdataroot.'/install.lock').'<br>';
 print '<b>'.$langs->trans("StepNb", 4).'</b>: ';
 $fullurl = '<a href="'.DOL_URL_ROOT.'/install/" target="_blank">'.DOL_URL_ROOT.'/install/</a>';
-print $langs->trans("CallUpdatePage", $fullurl).'<br>';
+print str_replace('{s}', $fullurl, $langs->trans("CallUpdatePage", '{s}')).'<br>';
 print '<b>'.$langs->trans("StepNb", 5).'</b>: ';
 print $langs->trans("RestoreLock", $dolibarrdataroot.'/install.lock').'<br>';
 
@@ -133,8 +137,9 @@ print '<br>';
 
 print $langs->trans("AddExtensionThemeModuleOrOther").'<br>';
 print '<hr>';
-
-print $langs->trans("GoModuleSetupArea", DOL_URL_ROOT.'/admin/modules.php?mode=deploy', $langs->transnoentities("Home").' - '.$langs->transnoentities("Setup").' - '.$langs->transnoentities("Modules"));
+$texttoshow = $langs->trans("GoModuleSetupArea", DOL_URL_ROOT.'/admin/modules.php?mode=deploy', '{s2}');
+$texttoshow = str_replace('{s2}', img_picto('', 'tools', 'class="pictofixedwidth"').$langs->transnoentities("Home").' - '.$langs->transnoentities("Setup").' - '.$langs->transnoentities("Modules"), $texttoshow);
+print $texttoshow;
 
 // End of page
 llxFooter();
diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php
index 333d4e2ded6..65b446727e5 100644
--- a/htdocs/commande/class/commande.class.php
+++ b/htdocs/commande/class/commande.class.php
@@ -195,7 +195,7 @@ class Commande extends CommonOrder
 
 	/**
 	 * @var int	Date expected for delivery
-	 * @see delivery_date
+	 * @see $delivery_date
 	 * @deprecated
 	 */
 	public $date_livraison;
diff --git a/htdocs/compta/bank/card.php b/htdocs/compta/bank/card.php
index ea9f7799849..d1cc0413bfd 100644
--- a/htdocs/compta/bank/card.php
+++ b/htdocs/compta/bank/card.php
@@ -212,7 +212,7 @@ if (empty($reshook)) {
 		$object->ics = trim(GETPOST("ics", 'alpha'));
 		$object->ics_transfer = trim(GETPOST("ics_transfer", 'alpha'));
 
-		$account_number = GETPOST('account_number', 'alpha');
+		$account_number = GETPOST('account_number', 'alphanohtml');
 		if (empty($account_number) || $account_number == '-1') {
 			$object->account_number = '';
 		} else {
@@ -754,13 +754,13 @@ if ($action == 'create') {
 			print '</td></tr>';
 
 			if ($conf->prelevement->enabled) {
-				print '<tr><td>'.$langs->trans("ICS").'</td>';
+				print '<tr><td>'.$langs->trans("ICS").' ('.$langs->trans("StandingOrder").')</td>';
 				print '<td>'.$object->ics.'</td>';
 				print '</tr>';
 			}
 
 			if ($conf->paymentbybanktransfer->enabled) {
-				print '<tr><td>'.$langs->trans("ICSTransfer").'</td>';
+				print '<tr><td>'.$langs->trans("ICS").' ('.$langs->trans("BankTransfer").')</td>';
 				print '<td>'.$object->ics_transfer.'</td>';
 				print '</tr>';
 			}
@@ -1053,12 +1053,12 @@ if ($action == 'create') {
 			print '<td><input class="minwidth150 maxwidth200onsmartphone" maxlength="11" type="text" class="flat" name="bic" value="'.$object->bic.'"></td></tr>';
 
 			if ($conf->prelevement->enabled) {
-				print '<tr><td>'.$langs->trans("ICS").'</td>';
+				print '<tr><td>'.$langs->trans("ICS").' ('.$langs->trans("StandingOrder").')</td>';
 				print '<td><input class="minwidth150 maxwidth200onsmartphone" maxlength="32" type="text" class="flat" name="ics" value="'.$object->ics.'"></td></tr>';
 			}
 
 			if ($conf->paymentbybanktransfer->enabled) {
-				print '<tr><td>'.$langs->trans("ICSTransfer").'</td>';
+				print '<tr><td>'.$langs->trans("ICS").' ('.$langs->trans("BankTransfer").')</td>';
 				print '<td><input class="minwidth150 maxwidth200onsmartphone" maxlength="32" type="text" class="flat" name="ics_transfer" value="'.$object->ics_transfer.'"></td></tr>';
 			}
 
diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php
index a94d068603a..b03ed9d93e0 100644
--- a/htdocs/compta/prelevement/card.php
+++ b/htdocs/compta/prelevement/card.php
@@ -325,19 +325,19 @@ if ($id > 0 || $ref) {
 
 	// Actions
 	if ($action != 'settransmitted' && $action != 'setcredited') {
-		print "\n<div class=\"tabsAction\">\n";
+		print "\n".'<div class="tabsAction">'."\n";
 
 		if (empty($object->date_trans) && $user->rights->prelevement->bons->send) {
-			print "<a class=\"butAction\" href=\"card.php?action=settransmitted&token='.newToken().'&id=".$object->id."\">".$langs->trans("SetToStatusSent")."</a>";
+			print '<a class="butAction" href="card.php?action=settransmitted&token='.newToken().'&id='.$object->id.'">'.$langs->trans("SetToStatusSent").'</a>';
 		}
 
 		if (!empty($object->date_trans) && $object->date_credit == 0) {
-			print "<a class=\"butAction\" href=\"card.php?action=setcredited&token='.newToken().'&id=".$object->id."\">".$langs->trans("ClassCredited")."</a>";
+			print '<a class="butAction" href="card.php?action=setcredited&token='.newToken().'&id='.$object->id.'">'.$langs->trans("ClassCredited").'</a>';
 		}
 
-		print "<a class=\"butActionDelete\" href=\"card.php?action=delete&token='.newToken().'&id=".$object->id."\">".$langs->trans("Delete")."</a>";
+		print '<a class="butActionDelete" href="card.php?action=delete&token='.newToken().'&id='.$object->id.'">'.$langs->trans("Delete").'</a>';
 
-		print "</div>";
+		print '</div>';
 	}
 
 
@@ -413,7 +413,7 @@ if ($id > 0 || $ref) {
 			print "<td>";
 			print $ligne->LibStatut($obj->statut, 2);
 			print "&nbsp;";
-			print '<a href="'.DOL_URL_ROOT.'/compta/prelevement/line.php?id='.$obj->rowid.'&type='.$object->type.'">';
+			print '<a href="'.DOL_URL_ROOT.'/compta/prelevement/line.php?id='.$obj->rowid.'&type='.$object->type.'&token='.newtoken().'">';
 			print sprintf("%06s", $obj->rowid);
 			print '</a></td>';
 
@@ -434,7 +434,7 @@ if ($id > 0 || $ref) {
 					if ($obj->statut == 2) {
 						if ($user->rights->prelevement->bons->credit) {
 							//print '<a class="butActionDelete" href="line.php?action=rejet&id='.$obj->rowid.'">'.$langs->trans("StandingOrderReject").'</a>';
-							print '<a href="line.php?action=rejet&type='.$object->type.'&id='.$obj->rowid.'">'.$langs->trans("StandingOrderReject").'</a>';
+							print '<a href="line.php?action=rejet&type='.$object->type.'&id='.$obj->rowid.'&token='.newtoken().'">'.$langs->trans("StandingOrderReject").'</a>';
 						} else {
 							//print '<a class="butActionRefused classfortooltip" href="#" title="'.$langs->trans("NotAllowed").'">'.$langs->trans("StandingOrderReject").'</a>';
 						}
diff --git a/htdocs/compta/prelevement/create.php b/htdocs/compta/prelevement/create.php
index be18099b6a8..6f045f3ca74 100644
--- a/htdocs/compta/prelevement/create.php
+++ b/htdocs/compta/prelevement/create.php
@@ -96,7 +96,7 @@ if (empty($reshook)) {
 		$bank = new Account($db);
 		$bank->fetch($conf->global->{$default_account});
 		if (empty($bank->ics) || empty($bank->ics_transfer)) {
-			$errormessage = str_replace('{url}', $bank->getNomUrl(1), $langs->trans("ErrorICSmissing", '{url}'));
+			$errormessage = str_replace('{url}', $bank->getNomUrl(1, '', '', -1, 1), $langs->trans("ErrorICSmissing", '{url}'));
 			setEventMessages($errormessage, null, 'errors');
 			header("Location: ".DOL_URL_ROOT.'/compta/prelevement/create.php');
 			exit;
@@ -125,9 +125,13 @@ if (empty($reshook)) {
 			}
 		} else {
 			if ($type != 'bank-transfer') {
-				setEventMessages($langs->trans("DirectDebitOrderCreated", $bprev->getNomUrl(1)), null);
+				$texttoshow = $langs->trans("DirectDebitOrderCreated", '{s}');
+				$texttoshow = str_replace('{s}', $bprev->getNomUrl(1), $texttoshow);
+				setEventMessages($texttoshow, null);
 			} else {
-				setEventMessages($langs->trans("CreditTransferOrderCreated", $bprev->getNomUrl(1)), null);
+				$texttoshow = $langs->trans("CreditTransferOrderCreated", '{s}');
+				$texttoshow = str_replace('{s}', $bprev->getNomUrl(1), $texttoshow);
+				setEventMessages($texttoshow, null);
 			}
 
 			header("Location: ".DOL_URL_ROOT.'/compta/prelevement/card.php?id='.$bprev->id);
@@ -230,12 +234,13 @@ print '<input type="hidden" name="token" value="'.newToken().'">';
 print '<input type="hidden" name="type" value="'.$type.'">';
 if ($nb) {
 	if ($pricetowithdraw) {
-		$title = print $langs->trans('BankToReceiveWithdraw').': ';
+		$title = $langs->trans('BankToReceiveWithdraw').': ';
 		if ($type == 'bank-transfer') {
-			$title .= $langs->trans('BankToPayCreditTransfer').': ';
+			$title = $langs->trans('BankToPayCreditTransfer').': ';
 		}
 		print $title;
-		$form->select_comptes($conf->global->PRELEVEMENT_ID_BANKACCOUNT, 'id_bankaccount', 0, "courant=1");
+		print img_picto('', 'bank_account');
+		print $form->select_comptes($conf->global->PRELEVEMENT_ID_BANKACCOUNT, 'id_bankaccount', 0, "courant=1", 0, '', 0, '', 1);
 		print ' - ';
 
 		print $langs->trans('ExecutionDate').' ';
@@ -439,7 +444,7 @@ if ($resql) {
 			}
 			print '</td>';
 			// Amount
-			print '<td class="right">';
+			print '<td class="right amount">';
 			print price($obj->amount, 0, $langs, 0, 0, -1, $conf->currency);
 			print '</td>';
 			// Date
diff --git a/htdocs/compta/prelevement/orders_list.php b/htdocs/compta/prelevement/orders_list.php
index 5c6f058bff1..3ca9ce32fbe 100644
--- a/htdocs/compta/prelevement/orders_list.php
+++ b/htdocs/compta/prelevement/orders_list.php
@@ -29,7 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/compta/prelevement/class/bonprelevement.class.p
 require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
 
 // Load translation files required by the page
-$langs->loadLangs(array('banks', 'categories', 'widthdrawals'));
+$langs->loadLangs(array('banks', 'categories', 'withdrawals'));
 
 $contextpage = GETPOST('contextpage', 'aZ') ? GETPOST('contextpage', 'aZ') : 'directdebitcredittransferlist'; // To manage different context of search
 
diff --git a/htdocs/compta/tva/list.php b/htdocs/compta/tva/list.php
index 69ce8ae8ae5..1dc0180bd60 100644
--- a/htdocs/compta/tva/list.php
+++ b/htdocs/compta/tva/list.php
@@ -31,6 +31,7 @@ require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/compta/tva/class/tva.class.php';
 require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
+require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
 require_once DOL_DOCUMENT_ROOT.'/accountancy/class/accountingjournal.class.php';
 
@@ -135,6 +136,7 @@ if (empty($reshook)) {
 
 $form = new Form($db);
 $formother = new FormOther($db);
+$formfile = new FormFile($db);
 $tva_static = new Tva($db);
 $bankstatic = new Account($db);
 $accountingjournal = new AccountingJournal($db);
@@ -445,7 +447,13 @@ while ($i < min($num, $limit)) {
 
 	// Ref
 	if (!empty($arrayfields['t.rowid']['checked'])) {
-		print '<td>'.$tva_static->getNomUrl(1).'</td>';
+		print '<td>';
+		print $tva_static->getNomUrl(1);
+		$filename = dol_sanitizeFileName($tva_static->ref);
+		$filedir = $conf->tax->dir_output.'/vat/'.dol_sanitizeFileName($tva_static->ref);
+		$urlsource = $_SERVER['PHP_SELF'].'?id='.$tva_static->id;
+		print $formfile->getDocumentsLink($tva_static->element, $filename, $filedir, '', 'valignmiddle paddingleft2imp');
+		print '</td>';
 		if (!$i) {
 			$totalarray['nbfield']++;
 		}
diff --git a/htdocs/core/ajax/selectsearchbox.php b/htdocs/core/ajax/selectsearchbox.php
index 509d10e7858..1814b476d06 100644
--- a/htdocs/core/ajax/selectsearchbox.php
+++ b/htdocs/core/ajax/selectsearchbox.php
@@ -110,13 +110,13 @@ if (!empty($conf->facture->enabled) && empty($conf->global->MAIN_SEARCHFORM_CUST
 }
 
 if (!empty($conf->supplier_proposal->enabled) && empty($conf->global->MAIN_SEARCHFORM_SUPPLIER_PROPAL_DISABLED) && $user->rights->supplier_proposal->lire) {
-	$arrayresult['searchintosupplierpropal'] = array('position'=>100, 'img'=>'object_propal', 'label'=>$langs->trans("SearchIntoSupplierProposals", $search_boxvalue), 'text'=>img_picto('', 'object_supplier_proposal').' '.$langs->trans("SearchIntoSupplierProposals", $search_boxvalue), 'url'=>DOL_URL_ROOT.'/supplier_proposal/list.php'.($search_boxvalue ? '?sall='.urlencode($search_boxvalue) : ''));
+	$arrayresult['searchintosupplierpropal'] = array('position'=>100, 'img'=>'object_supplier_proposal', 'label'=>$langs->trans("SearchIntoSupplierProposals", $search_boxvalue), 'text'=>img_picto('', 'object_supplier_proposal').' '.$langs->trans("SearchIntoSupplierProposals", $search_boxvalue), 'url'=>DOL_URL_ROOT.'/supplier_proposal/list.php'.($search_boxvalue ? '?sall='.urlencode($search_boxvalue) : ''));
 }
 if (((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) && $user->rights->fournisseur->commande->lire) || (!empty($conf->supplier_order->enabled) &&  $user->rights->supplier_order->lire)) && empty($conf->global->MAIN_SEARCHFORM_SUPPLIER_ORDER_DISABLED)) {
-	$arrayresult['searchintosupplierorder'] = array('position'=>110, 'img'=>'object_order', 'label'=>$langs->trans("SearchIntoSupplierOrders", $search_boxvalue), 'text'=>img_picto('', 'object_supplier_order').' '.$langs->trans("SearchIntoSupplierOrders", $search_boxvalue), 'url'=>DOL_URL_ROOT.'/fourn/commande/list.php'.($search_boxvalue ? '?search_all='.urlencode($search_boxvalue) : ''));
+	$arrayresult['searchintosupplierorder'] = array('position'=>110, 'img'=>'object_supplier_order', 'label'=>$langs->trans("SearchIntoSupplierOrders", $search_boxvalue), 'text'=>img_picto('', 'object_supplier_order').' '.$langs->trans("SearchIntoSupplierOrders", $search_boxvalue), 'url'=>DOL_URL_ROOT.'/fourn/commande/list.php'.($search_boxvalue ? '?search_all='.urlencode($search_boxvalue) : ''));
 }
 if (((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) && $user->rights->fournisseur->facture->lire) || (!empty($conf->supplier_invoice->enabled) && $user->rights->supplier_invoice->lire)) && empty($conf->global->MAIN_SEARCHFORM_SUPPLIER_INVOICE_DISABLED)) {
-	$arrayresult['searchintosupplierinvoice'] = array('position'=>120, 'img'=>'object_bill', 'label'=>$langs->trans("SearchIntoSupplierInvoices", $search_boxvalue), 'text'=>img_picto('', 'object_supplier_invoice').' '.$langs->trans("SearchIntoSupplierInvoices", $search_boxvalue), 'url'=>DOL_URL_ROOT.'/fourn/facture/list.php'.($search_boxvalue ? '?sall='.urlencode($search_boxvalue) : ''));
+	$arrayresult['searchintosupplierinvoice'] = array('position'=>120, 'img'=>'object_supplier_invoice', 'label'=>$langs->trans("SearchIntoSupplierInvoices", $search_boxvalue), 'text'=>img_picto('', 'object_supplier_invoice').' '.$langs->trans("SearchIntoSupplierInvoices", $search_boxvalue), 'url'=>DOL_URL_ROOT.'/fourn/facture/list.php'.($search_boxvalue ? '?sall='.urlencode($search_boxvalue) : ''));
 }
 
 // Customer payments
diff --git a/htdocs/core/class/commondocgenerator.class.php b/htdocs/core/class/commondocgenerator.class.php
index 2a5e3391eb9..909178d4fb1 100644
--- a/htdocs/core/class/commondocgenerator.class.php
+++ b/htdocs/core/class/commondocgenerator.class.php
@@ -531,7 +531,7 @@ abstract class CommonDocGenerator
 				$totalUp += $line->subprice * $line->qty;
 			}
 
-			// @GS: Calculate total up and total discount percentage
+			// Calculate total up and total discount percentage
 			// Note that this added fields does not match a field into database in Dolibarr (Dolibarr manage discount on lines not as a global property of object)
 			$resarray['object_total_up'] = $totalUp;
 			$resarray['object_total_up_locale'] = price($resarray['object_total_up'], 0, $outputlangs);
diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php
index 2b8a2d15aff..60054ecf5ad 100644
--- a/htdocs/core/class/html.formfile.class.php
+++ b/htdocs/core/class/html.formfile.class.php
@@ -981,13 +981,15 @@ class FormFile
 	 *  You may want to call this into a div like this:
 	 *  print '<div class="inline-block valignmiddle">'.$formfile->getDocumentsLink($element_doc, $filename, $filedir).'</div>';
 	 *
-	 *	@param	string	$modulepart		propal, facture, facture_fourn, ...
+	 *	@param	string	$modulepart		'propal', 'facture', 'facture_fourn', ...
 	 *	@param	string	$modulesubdir	Sub-directory to scan (Example: '0/1/10', 'FA/DD/MM/YY/9999'). Use '' if file is not into subdir of module.
 	 *	@param	string	$filedir		Full path to directory to scan
 	 *  @param	string	$filter			Filter filenames on this regex string (Example: '\.pdf$')
+	 *  @param	string	$morecss		Add more css to the download picto
+	 *  @param	string	$allfiles		0=Only generated docs, 1=All files
 	 *	@return	string              	Output string with HTML link of documents (might be empty string). This also fill the array ->infofiles
 	 */
-	public function getDocumentsLink($modulepart, $modulesubdir, $filedir, $filter = '')
+	public function getDocumentsLink($modulepart, $modulesubdir, $filedir, $filter = '', $morecss = 'valignmiddle', $allfiles = 0)
 	{
 		global $conf, $langs;
 
@@ -1005,12 +1007,11 @@ class FormFile
 			$entity = ((!empty($regs[1]) && $regs[1] > 1) ? $regs[1] : 1); // If entity id not found in $filedir this is entity 1 by default
 		}
 
-		// Get list of files starting with name of ref (but not followed by "-" to discard uploaded files and get only generated files)
-		// @todo Why not showing by default all files by just removing the '[^\-]+' at end of regex ?
-		if (!empty($conf->global->MAIN_SHOW_ALL_FILES_ON_DOCUMENT_TOOLTIP)) {
-			$filterforfilesearch = preg_quote(basename($modulesubdir), '/');
+		// Get list of files starting with name of ref (Note: files with '^ref\.extension' are generated files, files with '^ref-...' are uploaded files)
+		if ($allfiles || !empty($conf->global->MAIN_SHOW_ALL_FILES_ON_DOCUMENT_TOOLTIP)) {
+			$filterforfilesearch = '^'.preg_quote(basename($modulesubdir), '/');
 		} else {
-			$filterforfilesearch = preg_quote(basename($modulesubdir), '/').'[^\-]+';
+			$filterforfilesearch = '^'.preg_quote(basename($modulesubdir), '/').'\.';
 		}
 		$file_list = dol_dir_list($filedir, 'files', 0, $filterforfilesearch, '\.meta$|\.png$'); // We also discard .meta and .png preview
 
@@ -1019,7 +1020,7 @@ class FormFile
 		$out .= '<!-- html.formfile::getDocumentsLink -->'."\n";
 		if (!empty($file_list)) {
 			$out = '<dl class="dropdown inline-block">
-    			<dt><a data-ajax="false" href="#" onClick="return false;">'.img_picto('', 'listlight', '', 0, 0, 0, '', 'valignmiddle').'</a></dt>
+    			<dt><a data-ajax="false" href="#" onClick="return false;">'.img_picto('', 'listlight', '', 0, 0, 0, '', $morecss).'</a></dt>
     			<dd><div class="multichoicedoc" style="position:absolute;left:100px;" ><ul class="ulselectedfields">';
 			$tmpout = '';
 
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 05d8c6c4ec5..3c35bcda2a9 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -2235,7 +2235,7 @@ function dol_most_recent_file($dir, $regexfilter = '', $excludefilter = array('(
  * Security check when accessing to a document (used by document.php, viewimage.php and webservices to get documents).
  * TODO Replace code that set $accesallowed by a call to restrictedArea()
  *
- * @param	string	$modulepart			Module of document ('module', 'module_user_temp', 'module_user' or 'module_temp')
+ * @param	string	$modulepart			Module of document ('module', 'module_user_temp', 'module_user' or 'module_temp'). Exemple: 'medias', 'invoice', 'logs', 'tax-vat', ...
  * @param	string	$original_file		Relative path with filename, relative to modulepart.
  * @param	string	$entity				Restrict onto entity (0=no restriction)
  * @param  	User	$fuser				User object (forced)
@@ -2263,10 +2263,13 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 			$entity = 0;
 		}
 	}
-	// Fix modulepart
+	// Fix modulepart for backward compatibility
 	if ($modulepart == 'users') {
 		$modulepart = 'user';
 	}
+	if ($modulepart == 'tva') {
+		$modulepart = 'tax-vat';
+	}
 
 	//print 'dol_check_secure_access_document modulepart='.$modulepart.' original_file='.$original_file.' entity='.$entity;
 	dol_syslog('dol_check_secure_access_document modulepart='.$modulepart.' original_file='.$original_file.' entity='.$entity);
@@ -2436,7 +2439,7 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 			$accessallowed = 1;
 		}
 		$original_file = (!empty($conf->product->multidir_temp[$entity]) ? $conf->product->multidir_temp[$entity] : $conf->service->multidir_temp[$entity]).'/'.$original_file;
-	} elseif (in_array($modulepart, array('tax', 'tax-vat')) && !empty($conf->tax->dir_output)) {
+	} elseif (in_array($modulepart, array('tax', 'tax-vat', 'tva')) && !empty($conf->tax->dir_output)) {
 		// Wrapping for taxes
 		if ($fuser->rights->tax->charges->{$lire}) {
 			$accessallowed = 1;
diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php
index 1fbd91cb623..d0b30d97398 100644
--- a/htdocs/core/menus/standard/eldy.lib.php
+++ b/htdocs/core/menus/standard/eldy.lib.php
@@ -334,7 +334,7 @@ function print_eldy_menu($db, $atarget, $type_user, &$tabMenu, &$menu, $noout =
 	// Accounting
 	$tmpentry = array(
 		'enabled'=>(!empty($conf->comptabilite->enabled) || !empty($conf->accounting->enabled) || !empty($conf->asset->enabled) || !empty($conf->intracommreport->enabled)),
-		'perms'=>(!empty($user->rights->compta->resultat->lire) || !empty($user->rights->accounting->mouvements->lire) || !empty($user->rights->asset->read) || !empty($user->rights->intracommreport->read)),
+		'perms'=>(!empty($user->rights->compta->resultat->lire) || !empty($user->rights->accounting->comptarapport->lire) || !empty($user->rights->accounting->mouvements->lire) || !empty($user->rights->asset->read) || !empty($user->rights->intracommreport->read)),
 		'module'=>'comptabilite|accounting|asset|intracommreport'
 	);
 	$menu_arr[] = array(
@@ -1205,7 +1205,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM
 
 			// Accounting (Double entries)
 			if (!empty($conf->accounting->enabled)) {
-				$permtoshowmenu = (!empty($conf->accounting->enabled) || $user->rights->accounting->bind->write || $user->rights->compta->resultat->lire);
+				//$permtoshowmenu = (!empty($conf->accounting->enabled) || $user->rights->accounting->bind->write || $user->rights->compta->resultat->lire);
 				//$newmenu->add("/accountancy/index.php?leftmenu=accountancy", $langs->trans("MenuAccountancy"), 0, $permtoshowmenu, '', $mainmenu, 'accountancy');
 
 				// Configuration
@@ -1342,7 +1342,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM
 				}
 
 				// Accounting
-				$newmenu->add("/accountancy/index.php?leftmenu=accountancy_accountancy", $langs->trans("MenuAccountancy"), 0, $user->rights->accounting->mouvements->lire, '', $mainmenu, 'accountancy', 1, '', '', '', img_picto('', 'accountancy', 'class="paddingright pictofixedwidth"'));
+				$newmenu->add("/accountancy/index.php?leftmenu=accountancy_accountancy", $langs->trans("MenuAccountancy"), 0, $user->rights->accounting->mouvements->lire || $user->rights->accounting->comptarapport->lire, '', $mainmenu, 'accountancy', 1, '', '', '', img_picto('', 'accountancy', 'class="paddingright pictofixedwidth"'));
 
 				// General Ledger
 				$newmenu->add("/accountancy/bookkeeping/listbyaccount.php?mainmenu=accountancy&amp;leftmenu=accountancy_accountancy", $langs->trans("Bookkeeping"), 1, $user->rights->accounting->mouvements->lire);
diff --git a/htdocs/core/search_page.php b/htdocs/core/search_page.php
index 8581776a2d8..2b82501208a 100644
--- a/htdocs/core/search_page.php
+++ b/htdocs/core/search_page.php
@@ -20,7 +20,7 @@
 
 /**
  *       \file       htdocs/core/search_page.php
- *       \brief      File to return a page with search boxes
+ *       \brief      File to return a page with the complete search form (all search input fields)
  */
 
 //if (! defined('NOREQUIREUSER'))   define('NOREQUIREUSER','1');	// Not disabled cause need to load personalized language
@@ -77,7 +77,7 @@ $hookmanager->initHooks(array('searchform'));
 // Define $searchform
 $searchform = '';
 
-if ($conf->use_javascript_ajax && 1 == 2) {   // select2 is ko with jmobile
+if ($conf->use_javascript_ajax && 1 == 2) {   // select2 is not best with smartphone
 	if (!is_object($form)) {
 		$form = new Form($db);
 	}
diff --git a/htdocs/knowledgemanagement/class/knowledgerecord.class.php b/htdocs/knowledgemanagement/class/knowledgerecord.class.php
index 550ef976aba..dacdf57d3a8 100644
--- a/htdocs/knowledgemanagement/class/knowledgerecord.class.php
+++ b/htdocs/knowledgemanagement/class/knowledgerecord.class.php
@@ -114,7 +114,7 @@ class KnowledgeRecord extends CommonObject
 		'answer' => array('type'=>'html', 'label'=>'Solution', 'enabled'=>'1', 'position'=>50, 'notnull'=>0, 'visible'=>3, 'csslist'=>'tdoverflow300'),
 		//'url' => array('type'=>'varchar(255)', 'label'=>'URL', 'enabled'=>'1', 'position'=>55, 'notnull'=>0, 'visible'=>-1, 'csslist'=>'tdoverflow200', 'help'=>'UrlForInfoPage'),
 		'fk_c_ticket_category' => array('type'=>'integer:CTicketCategory:ticket/class/cticketcategory.class.php', 'label'=>'GroupOfTicket', 'enabled'=>'$conf->ticket->enabled', 'position'=>512, 'notnull'=>0, 'visible'=>-1, 'help'=>'YouCanLinkArticleToATicketCategory'),
-		'status' => array('type'=>'integer', 'label'=>'Status', 'enabled'=>'1', 'position'=>1000, 'notnull'=>1, 'visible'=>1, 'default'=>0, 'index'=>1, 'arrayofkeyval'=>array('0'=>'Draft', '1'=>'Valid'),),
+		'status' => array('type'=>'integer', 'label'=>'Status', 'enabled'=>'1', 'position'=>1000, 'notnull'=>1, 'visible'=>1, 'default'=>0, 'index'=>1, 'arrayofkeyval'=>array('0'=>'Draft', '1'=>'Validated'),),
 	);
 	public $rowid;
 	public $ref;
diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang
index 76f5c18b70b..d4047e654d3 100644
--- a/htdocs/langs/en_US/admin.lang
+++ b/htdocs/langs/en_US/admin.lang
@@ -1780,7 +1780,7 @@ ClickToDialSetup=Click To Dial module setup
 ClickToDialUrlDesc=Url called when a click on phone picto is done.  In URL, you can use tags<br><b>__PHONETO__</b> that will be replaced with the phone number of person to call<br><b>__PHONEFROM__</b> that will be replaced with phone number of calling person (yours)<br><b>__LOGIN__</b> that will be replaced with clicktodial login (defined on user card)<br><b>__PASS__</b> that will be replaced with clicktodial password (defined on user card).
 ClickToDialDesc=This module change phone numbers, when using a desktop computer, into clickable links. A click will call the number. This can be used to start the phone call when using a soft phone on your desktop or when using a CTI system based on SIP protocol for example. Note: When using a smartphone, phone numbers are always clickable.
 ClickToDialUseTelLink=Use just a link "tel:" on phone numbers
-ClickToDialUseTelLinkDesc=Use this method if your users have a softphone or a software interface, installed on the same computer as the browser, and called when you click on a link starting with "tel:" in your browser. If you need link that start with "sip:" or a full server solution (no need of local software installation), you must set this to "No" and fill next field.
+ClickToDialUseTelLinkDesc=Use this method if your users have a softphone or a software interface, installed on the same computer as the browser, and called when you click on a link starting with "tel:" in your browser. If you need a link that start with "sip:" or a full server solution (no need of local software installation), you must set this to "No" and fill the next field.
 ##### Point Of Sale (CashDesk) #####
 CashDesk=Point of Sale
 CashDeskSetup=Point of Sales module setup
diff --git a/htdocs/langs/en_US/languages.lang b/htdocs/langs/en_US/languages.lang
index 373fdf2eab5..e3b6bed94c8 100644
--- a/htdocs/langs/en_US/languages.lang
+++ b/htdocs/langs/en_US/languages.lang
@@ -2,6 +2,7 @@
 Language_am_ET=Ethiopian
 Language_ar_AR=Arabic
 Language_ar_EG=Arabic (Egypt)
+Language_ar_MA=Arabic (Moroco)
 Language_ar_SA=Arabic
 Language_ar_TN=Arabic (Tunisia)
 Language_ar_IQ=Arabic (Iraq)
diff --git a/htdocs/langs/en_US/withdrawals.lang b/htdocs/langs/en_US/withdrawals.lang
index 7d5b57f7da9..a3773a427a1 100644
--- a/htdocs/langs/en_US/withdrawals.lang
+++ b/htdocs/langs/en_US/withdrawals.lang
@@ -133,8 +133,7 @@ SEPARCUR=SEPA CUR
 SEPAFRST=SEPA FRST
 ExecutionDate=Execution date
 CreateForSepa=Create direct debit file
-ICS=Creditor Identifier CI for direct debit
-ICSTransfer=Creditor Identifier CI for bank transfer
+ICS=Creditor Identifier - ICS
 END_TO_END="EndToEndId" SEPA XML tag - Unique id assigned per transaction
 USTRD="Unstructured" SEPA XML tag
 ADDDAYS=Add days to Execution Date
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 2ceb2175799..e4677499bd6 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -2015,27 +2015,25 @@ function top_menu_user($hideloginname = 0, $urllogout = '')
 	$dropdownBody .= '<span id="topmenulogincompanyinfo-btn"><i class="fa fa-caret-right"></i> '.$langs->trans("ShowCompanyInfos").'</span>';
 	$dropdownBody .= '<div id="topmenulogincompanyinfo" >';
 
-	if (!empty($conf->global->MAIN_INFO_SIREN)) {
-		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId1Short", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_SIREN).'</span>';
+	if ($langs->transcountry("ProfId1", $mysoc->country_code) != '-') {
+		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId1", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_SIREN).'</span>';
 	}
-	if (!empty($conf->global->MAIN_INFO_SIRET)) {
-		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId2Short", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_SIRET).'</span>';
+	if ($langs->transcountry("ProfId2", $mysoc->country_code) != '-') {
+		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId2", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_SIRET).'</span>';
 	}
-	if (!empty($conf->global->MAIN_INFO_APE)) {
-		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId3Short", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_APE).'</span>';
+	if ($langs->transcountry("ProfId3", $mysoc->country_code) != '-') {
+		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId3", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_APE).'</span>';
 	}
-	if (!empty($conf->global->MAIN_INFO_RCS)) {
-		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId4Short", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_RCS).'</span>';
+	if ($langs->transcountry("ProfId4", $mysoc->country_code) != '-') {
+		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId4", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_RCS).'</span>';
 	}
-	if (!empty($conf->global->MAIN_INFO_PROFID5)) {
-		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId5Short", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_PROFID5).'</span>';
+	if ($langs->transcountry("ProfId5", $mysoc->country_code) != '-') {
+		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId5", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_PROFID5).'</span>';
 	}
-	if (!empty($conf->global->MAIN_INFO_PROFID6)) {
-		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId6Short", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_PROFID6).'</span>';
-	}
-	if (!empty($conf->global->MAIN_INFO_TVAINTRA)) {
-		$dropdownBody .= '<br><b>'.$langs->trans("VATIntraShort").'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_TVAINTRA).'</span>';
+	if ($langs->transcountry("ProfId6", $mysoc->country_code) != '-') {
+		$dropdownBody .= '<br><b>'.$langs->transcountry("ProfId6", $mysoc->country_code).'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_PROFID6).'</span>';
 	}
+	$dropdownBody .= '<br><b>'.$langs->trans("VATIntraShort").'</b>: <span>'.showValueWithClipboardCPButton($conf->global->MAIN_INFO_TVAINTRA).'</span>';
 
 	$dropdownBody .= '</div>';
 
diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php
index aff3e4cce92..d3c7ba504cb 100755
--- a/htdocs/salaries/card.php
+++ b/htdocs/salaries/card.php
@@ -729,7 +729,7 @@ if ($id) {
 	if ($action == 'edit') {
 		print '<tr><td class="fieldrequired">' . $langs->trans("Amount") . '</td><td><input name="amount" size="10" value="' . price($object->amount) . '"></td></tr>';
 	} else {
-		print '<tr><td>' . $langs->trans("Amount") . '</td><td>' . price($object->amount, 0, $outputlangs, 1, -1, -1, $conf->currency) . '</td></tr>';
+		print '<tr><td>' . $langs->trans("Amount") . '</td><td><span class="amount">' . price($object->amount, 0, $langs, 1, -1, -1, $conf->currency) . '</span></td></tr>';
 	}
 
 	// Default mode of payment
diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php
index ab9ab624801..e384007262f 100644
--- a/htdocs/theme/eldy/global.inc.php
+++ b/htdocs/theme/eldy/global.inc.php
@@ -736,6 +736,9 @@ textarea.centpercent {
 .paddingleft2 {
 	padding-<?php print $left; ?>: 2px;
 }
+.paddingleft2imp {
+	padding-<?php print $left; ?>: 2px !important;
+}
 .paddingright {
 	padding-<?php print $right; ?>: 4px;
 }
diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php
index 8e679e754f2..dfa8b00f9eb 100644
--- a/htdocs/theme/md/style.css.php
+++ b/htdocs/theme/md/style.css.php
@@ -878,12 +878,18 @@ textarea.centpercent {
 .paddingleft2 {
 	padding-<?php print $left; ?>: 2px;
 }
+.paddingleft2imp {
+	padding-<?php print $left; ?>: 2px !important;
+}
 .paddingright {
 	padding-<?php print $right; ?>: 4px;
 }
 .paddingright2 {
 	padding-<?php print $right; ?>: 2px;
 }
+.paddingright2imp {
+	padding-<?php print $right; ?>: 2px !important;
+}
 .marginleft2 {
 	margin-<?php print $left; ?>: 2px;
 }
diff --git a/htdocs/user/group/perms.php b/htdocs/user/group/perms.php
index 9fc4426ecac..e2c419b0543 100644
--- a/htdocs/user/group/perms.php
+++ b/htdocs/user/group/perms.php
@@ -22,9 +22,13 @@
 
 /**
  *		\file		htdocs/user/group/perms.php
- * 		\brief		Onglet user et permissions de la fiche utilisateur
+ * 		\brief		Page to set permissions of a user group record
  */
 
+if (!defined('CSRFCHECK_WITH_TOKEN')) {
+	define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET
+}
+
 require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/user/class/usergroup.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php';
@@ -41,6 +45,10 @@ $module = GETPOST('module', 'alpha');
 $rights = GETPOST('rights', 'int');
 $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'groupperms'; // To manage different context of search
 
+if (!isset($id) || empty($id)) {
+	accessforbidden();
+}
+
 // Define if user can read permissions
 $canreadperms = ($user->admin || $user->rights->user->user->lire);
 // Define if user can modify group permissions
@@ -53,12 +61,15 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) {
 	$caneditperms = ($user->admin || $user->rights->user->group_advance->write);
 }
 
+// Security check
+//$result = restrictedArea($user, 'user', $id, 'usergroup', '');
 if (!$canreadperms) {
 	accessforbidden();
 }
 
 $object = new Usergroup($db);
 $object->fetch($id);
+$object->getrights();
 
 $entity = $conf->entity;
 
@@ -79,7 +90,7 @@ if ($reshook < 0) {
 if (empty($reshook)) {
 	if ($action == 'addrights' && $caneditperms) {
 		$editgroup = new Usergroup($db);
-		$result = $editgroup->fetch($id);
+		$result = $editgroup->fetch($object->id);
 		if ($result > 0) {
 			$result = $editgroup->addrights($rights, $module, '', $entity);
 			if ($result < 0) {
@@ -88,6 +99,9 @@ if (empty($reshook)) {
 		} else {
 			dol_print_error($db);
 		}
+
+		$user->clearrights();
+		$user->getrights();
 	}
 
 	if ($action == 'delrights' && $caneditperms) {
@@ -101,11 +115,14 @@ if (empty($reshook)) {
 		} else {
 			dol_print_error($db);
 		}
+
+		$user->clearrights();
+		$user->getrights();
 	}
 }
 
 
-/**
+/*
  * View
  */
 
@@ -114,11 +131,6 @@ $form = new Form($db);
 llxHeader('', $langs->trans("Permissions"));
 
 if ($object->id > 0) {
-	/*
-	 * Affichage onglets
-	 */
-	$object->getrights(); // Reload permission
-
 	$head = group_prepare_head($object);
 	$title = $langs->trans("Group");
 	print dol_get_fiche_head($head, 'rights', $title, -1, 'group');
@@ -165,8 +177,8 @@ if ($object->id > 0) {
 	$sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r,";
 	$sql .= " ".MAIN_DB_PREFIX."usergroup_rights as gr";
 	$sql .= " WHERE gr.fk_id = r.id";
-	$sql .= " AND gr.entity = ".$entity;
-	$sql .= " AND gr.fk_usergroup = ".$object->id;
+	$sql .= " AND gr.entity = ".((int) $entity);
+	$sql .= " AND gr.fk_usergroup = ".((int) $object->id);
 
 	dol_syslog("get user perms", LOG_DEBUG);
 	$result = $db->query($sql);
@@ -186,6 +198,10 @@ if ($object->id > 0) {
 		dol_print_error($db);
 	}
 
+	/*
+	 * Part to add/remove permissions
+	 */
+
 	$linkback = '<a href="'.DOL_URL_ROOT.'/user/group/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
 
 	dol_banner_tab($object, 'id', $linkback, $user->rights->user->user->lire || $user->admin);
@@ -193,9 +209,6 @@ if ($object->id > 0) {
 	print '<div class="fichecenter">';
 	print '<div class="underbanner clearboth"></div>';
 
-	/*
-	 * Ecran ajout/suppression permission
-	 */
 
 	print '<table class="border centpercent tableforfield">';
 
@@ -235,26 +248,26 @@ if ($object->id > 0) {
 	print '<td>'.$langs->trans("Module").'</td>';
 	if ($caneditperms) {
 		print '<td class="center nowrap">';
-		print '<a class="reposition commonlink" title="'.dol_escape_htmltag($langs->trans("All")).'" alt="'.dol_escape_htmltag($langs->trans("All")).'" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addrights&amp;entity='.$entity.'&amp;module=allmodules&amp;token='.newToken().'">'.$langs->trans("All")."</a>";
+		print '<a class="reposition commonlink" title="'.dol_escape_htmltag($langs->trans("All")).'" alt="'.dol_escape_htmltag($langs->trans("All")).'" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addrights&amp;entity='.$entity.'&amp;module=allmodules&amp;confirm=yes&amp;token='.newToken().'">'.$langs->trans("All")."</a>";
 		print '/';
-		print '<a class="reposition commonlink" title="'.dol_escape_htmltag($langs->trans("None")).'" alt="'.dol_escape_htmltag($langs->trans("None")).'" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delrights&amp;entity='.$entity.'&amp;module=allmodules&amp;token='.newToken().'">'.$langs->trans("None")."</a>";
+		print '<a class="reposition commonlink" title="'.dol_escape_htmltag($langs->trans("None")).'" alt="'.dol_escape_htmltag($langs->trans("None")).'" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delrights&amp;entity='.$entity.'&amp;module=allmodules&amp;confirm=yes&amp;token='.newToken().'">'.$langs->trans("None")."</a>";
 		print '</td>';
 	}
 	print '<td class="center" width="24">&nbsp;</td>';
 	print '<td>'.$langs->trans("Permissions").'</td>';
 	if ($user->admin) {
-		print '<td class="right">'.$langs->trans("ID").'</td>';
+		print '<td class="right"></td>';
 	}
 	print '</tr>'."\n";
 
-	$sql = "SELECT r.id, r.libelle as label, r.module";
+	$sql = "SELECT r.id, r.libelle as label, r.module, r.perms, r.subperms, r.module_position, r.bydefault";
 	$sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r";
 	$sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous"
-	$sql .= " AND r.entity = ".$entity;
+	$sql .= " AND r.entity = ".((int) $entity);
 	if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) {
 		$sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is disable
 	}
-	$sql .= " ORDER BY r.module, r.id";
+	$sql .= " ORDER BY r.family_position, r.module_position, r.module, r.id";
 
 	$result = $db->query($sql);
 	if ($result) {
@@ -265,13 +278,16 @@ if ($object->id > 0) {
 		while ($i < $num) {
 			$obj = $db->fetch_object($result);
 
-			// If line is for a module that doe snot existe anymore (absent of includes/module), we ignore it
+			// If line is for a module that does not exist anymore (absent of includes/module), we ignore it
 			if (empty($modules[$obj->module])) {
 				$i++;
 				continue;
 			}
 
-			if ($oldmod <> $obj->module) {
+			$objMod = $modules[$obj->module];
+
+			// Break found, it's a new module to catch
+			if (isset($obj->module) && ($oldmod <> $obj->module)) {
 				$oldmod = $obj->module;
 
 				// Break detected, we get objMod
@@ -286,21 +302,22 @@ if ($object->id > 0) {
 				print '</td>';
 				if ($caneditperms) {
 					print '<td class="center nowrap">';
-					print '<a class="reposition" title='.$langs->trans("All").' alt='.$langs->trans("All").' href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addrights&amp;entity='.$entity.'&amp;module='.$obj->module.'&amp;token='.newToken().'">'.$langs->trans("All")."</a>";
+					print '<a class="reposition" title="'.dol_escape_htmltag($langs->trans("All")).'" alt="'.$langs->trans("All").'" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addrights&amp;entity='.$entity.'&amp;module='.$obj->module.'&amp;token='.newToken().'">'.$langs->trans("All")."</a>";
 					print '/';
-					print '<a class="reposition" title='.$langs->trans("None").' alt='.$langs->trans("None").' href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delrights&amp;entity='.$entity.'&amp;module='.$obj->module.'&amp;token='.newToken().'">'.$langs->trans("None")."</a>";
+					print '<a class="reposition" title="'.dol_escape_htmltag($langs->trans("None")).'" alt="'.$langs->trans("None").'" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delrights&amp;entity='.$entity.'&amp;module='.$obj->module.'&amp;token='.newToken().'">'.$langs->trans("None")."</a>";
 					print '</td>';
 				} else {
 					print '<td>&nbsp;</td>';
 				}
-				print '<td colspan="2">&nbsp;</td>';
+				print '<td>&nbsp;</td>';
+				print '<td>&nbsp;</td>';
 
 				// Permission id
 				if ($user->admin) {
 					print '<td class="right"></td>';
 				}
 
-				print '</tr>';
+				print '</tr>'."\n";
 			}
 
 			print '<!-- '.$obj->module.'->'.$obj->perms.($obj->subperms ? '->'.$obj->subperms : '').' -->'."\n";
@@ -315,7 +332,7 @@ if ($object->id > 0) {
 				if (in_array($obj->id, $permsgroupbyentity[$entity])) {
 					// Own permission by group
 					if ($caneditperms) {
-						print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delrights&amp;entity='.$entity.'&amp;rights='.$obj->id.'">';
+						print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delrights&amp;entity='.$entity.'&amp;rights='.$obj->id.'&amp;confirm=yes&amp;token='.newToken().'">';
 						//print img_edit_remove($langs->trans("Remove"));
 						print img_picto($langs->trans("Remove"), 'switch_on');
 						print '</a></td>';
@@ -326,7 +343,7 @@ if ($object->id > 0) {
 				} else {
 					// Do not own permission
 					if ($caneditperms) {
-						print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addrights&amp;entity='.$entity.'&amp;rights='.$obj->id.'&amp;token='.newToken().'">';
+						print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addrights&amp;entity='.$entity.'&amp;rights='.$obj->id.'&amp;confirm=yes&amp;token='.newToken().'">';
 						//print img_edit_add($langs->trans("Add"));
 						print img_picto($langs->trans("Add"), 'switch_off');
 						print '</a></td>';
@@ -336,7 +353,7 @@ if ($object->id > 0) {
 			} else {
 				// Do not own permission
 				if ($caneditperms) {
-					print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addrights&amp;entity='.$entity.'&amp;rights='.$obj->id.'&amp;token='.newToken().'">';
+					print '<td class="center"><a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addrights&amp;entity='.$entity.'&amp;rights='.$obj->id.'&amp;confirm=yes&amp;token='.newToken().'">';
 					//print img_edit_add($langs->trans("Add"));
 					print img_picto($langs->trans("Add"), 'switch_off');
 					print '</a></td>';
@@ -344,12 +361,25 @@ if ($object->id > 0) {
 				print '<td>&nbsp;</td>';
 			}
 
-			$permlabel = ($conf->global->MAIN_USE_ADVANCED_PERMS && ($langs->trans("PermissionAdvanced".$obj->id) != ("PermissionAdvanced".$obj->id)) ? $langs->trans("PermissionAdvanced".$obj->id) : (($langs->trans("Permission".$obj->id) != ("Permission".$obj->id)) ? $langs->trans("Permission".$obj->id) : $langs->trans($obj->label)));
-			print '<td class="maxwidthonsmartphone">'.$permlabel.'</td>';
+			// Description of permission
+			$permlabel = (!empty($conf->global->MAIN_USE_ADVANCED_PERMS) && ($langs->trans("PermissionAdvanced".$obj->id) != ("PermissionAdvanced".$obj->id)) ? $langs->trans("PermissionAdvanced".$obj->id) : (($langs->trans("Permission".$obj->id) != ("Permission".$obj->id)) ? $langs->trans("Permission".$obj->id) : $langs->trans($obj->label)));
+			print '<td>';
+			print $permlabel;
+			if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) {
+				if (preg_match('/_advance$/', $obj->perms)) {
+					print ' <span class="opacitymedium">('.$langs->trans("AdvancedModeOnly").')</span>';
+				}
+			}
+			print '</td>';
 
 			// Permission id
 			if ($user->admin) {
-				print '<td class="right"><span class="opacitymedium">'.$obj->id.'</span></td>';
+				print '<td class="right">';
+				$htmltext = $langs->trans("ID").': '.$obj->id;
+				$htmltext .= '<br>'.$langs->trans("Permission").': user->rights->'.$obj->module.'->'.$obj->perms.($obj->subperms ? '->'.$obj->subperms : '');
+				print $form->textwithpicto('', $htmltext);
+				//print '<span class="opacitymedium">'.$obj->id.'</span>';
+				print '</td>';
 			}
 
 			print '</tr>'."\n";
diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php
index 957c7a3a819..5e96a76119c 100644
--- a/htdocs/user/perms.php
+++ b/htdocs/user/perms.php
@@ -90,7 +90,7 @@ $hookmanager->initHooks(array('usercard', 'userperms', 'globalcard'));
  * Actions
  */
 
-$parameters = array('id'=>$socid);
+$parameters = array('socid'=>$socid);
 $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
 if ($reshook < 0) {
 	setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');
@@ -193,7 +193,7 @@ $permsuser = array();
 
 $sql = "SELECT DISTINCT ur.fk_id";
 $sql .= " FROM ".MAIN_DB_PREFIX."user_rights as ur";
-$sql .= " WHERE ur.entity = ".$entity;
+$sql .= " WHERE ur.entity = ".((int) $entity);
 $sql .= " AND ur.fk_user = ".((int) $object->id);
 
 dol_syslog("get user perms", LOG_DEBUG);
@@ -386,7 +386,7 @@ if ($result) {
 
 		// Picto and label of module
 		print '<td class="maxwidthonsmartphone tdoverflowonsmartphone">';
-		//print img_object('', $picto, 'class="pictoobjectwidth"').' '.$objMod->getName();
+		//print img_object('', $picto, 'class="inline-block pictoobjectwidth"').' '.$objMod->getName();
 		print '</td>';
 
 		// Permission and tick

'; print $langs->trans("DatabaseName").' : '.$dolibarr_main_db_name.' '; @@ -554,8 +557,10 @@ print ''; print ' 2'; +print ''; print $langs->trans("BackupDesc2", DOL_DATA_ROOT).' '; print $langs->trans("BackupDescX").' '; +print ''; print ' '; diff --git a/htdocs/admin/tools/dolibarr_import.php b/htdocs/admin/tools/dolibarr_import.php index 1fc0ca49221..29bfe5c12a4 100644 --- a/htdocs/admin/tools/dolibarr_import.php +++ b/htdocs/admin/tools/dolibarr_import.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2006-2021 Laurent Destailleur * Copyright (C) 2006-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify @@ -22,6 +22,10 @@ * \brief Page to import database / +if (! defined('CSRFCHECK_WITH_TOKEN')) { + define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET +} + require '../../main.inc.php'; // Load translation files required by the page @@ -72,7 +76,7 @@ jQuery(document).ready(function() { print load_fiche_titre($langs->trans("Restore"), '', 'title_setup'); -print ' '; +print ' '; print $langs->trans("RestoreDesc", DOL_DATA_ROOT); print ' '; print ' '; @@ -81,7 +85,9 @@ print ' '; 1 '; print $langs->trans("RestoreDesc2", DOL_DATA_ROOT).' '; +print ''; ?> @@ -90,7 +96,9 @@ print $langs->trans("RestoreDesc2", DOL_DATA_ROOT).' '; 2 '; print $langs->trans("RestoreDesc3", $dolibarr_main_db_name).' '; +print ''; ?> trans("DatabaseName").' : '.$dolibarr_main_db_name.''; ?> diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php index 34685676320..384b08e19cf 100644 --- a/htdocs/admin/tools/export_files.php +++ b/htdocs/admin/tools/export_files.php @@ -22,6 +22,10 @@ \brief Page to export documents into a compressed file / +if (! defined('CSRFCHECK_WITH_TOKEN')) { + define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET +} + require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; diff --git a/htdocs/admin/tools/listsessions.php b/htdocs/admin/tools/listsessions.php index 61d2b1cea58..10a38fb59a1 100644 --- a/htdocs/admin/tools/listsessions.php +++ b/htdocs/admin/tools/listsessions.php @@ -22,9 +22,14 @@ \brief List of PHP sessions / +if (! defined('CSRFCHECK_WITH_TOKEN')) { + define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET +} + require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; + // Load translation files required by the page $langs->loadLangs(array("companies", "install", "users", "other")); @@ -185,14 +190,14 @@ print ' '; if (empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) { - print ''.$langs->trans("LockNewSessions").''; + print ''.$langs->trans("LockNewSessions").''; } else { - print ''.$langs->trans("UnlockNewSessions").''; + print ''.$langs->trans("UnlockNewSessions").''; } if ($savehandler == 'files') { if (count($listofsessions)) { - print ''.$langs->trans("PurgeSessions").''; + print ''.$langs->trans("PurgeSessions").''; } } diff --git a/htdocs/admin/tools/purge.php b/htdocs/admin/tools/purge.php index e20b9c2b13a..09647549c8b 100644 --- a/htdocs/admin/tools/purge.php +++ b/htdocs/admin/tools/purge.php @@ -21,15 +21,15 @@ \brief Page to purge files (temporary or not) / +if (! defined('CSRFCHECK_WITH_TOKEN')) { + define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET +} + require '../../main.inc.php'; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $langs->load("admin"); -if (!$user->admin) { - accessforbidden(); -} - $action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $choice = GETPOST('choice', 'aZ09'); @@ -42,10 +42,15 @@ if (!empty($conf->syslog->enabled)) { $filelog = preg_replace('/DOL_DATA_ROOT/i', DOL_DATA_ROOT, $filelog); } +if (!$user->admin) { + accessforbidden(); +} + / * Actions / + if ($action == 'purge' && !preg_match('/^confirm/i', $choice) && ($choice != 'allfiles' \|\| $confirm == 'yes')) { // Increase limit of time. Works only if we are not in safe mode $ExecTimeLimit = 600; diff --git a/htdocs/admin/tools/update.php b/htdocs/admin/tools/update.php index 5a6ff94ce57..821bcd9e3f3 100644 --- a/htdocs/admin/tools/update.php +++ b/htdocs/admin/tools/update.php @@ -22,6 +22,10 @@ \brief Page to make a Dolibarr online upgrade / +if (! defined('CSRFCHECK_WITH_TOKEN')) { + define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET +} + require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; @@ -100,7 +104,7 @@ if (function_exists('curl_init')) { print $langs->trans("LastStableVersion").' : '.$langs->trans("UpdateServerOffline").'* '; } } else { - print $langs->trans("LastStableVersion").' : '.$langs->trans("Check").' '; + print $langs->trans("LastStableVersion").' : '.$langs->trans("Check").' '; } } @@ -113,14 +117,14 @@ print ' '; print $langs->trans("ThisIsProcessToFollow").' '; print ''.$langs->trans("StepNb", 1).': '; $fullurl = ''.$urldolibarr.''; -print $langs->trans("DownloadPackageFromWebSite", $fullurl).' '; +print str_replace('{s}', $fullurl, $langs->trans("DownloadPackageFromWebSite", '{s}')).' '; print ''.$langs->trans("StepNb", 2).': '; -print $langs->trans("UnpackPackageInDolibarrRoot", $dolibarrroot).' '; +print str_replace('{s}', $dolibarrroot, $langs->trans("UnpackPackageInDolibarrRoot", '{s}')).' '; print ''.$langs->trans("StepNb", 3).': '; print $langs->trans("RemoveLock", $dolibarrdataroot.'/install.lock').' '; print ''.$langs->trans("StepNb", 4).': '; $fullurl = ''.DOL_URL_ROOT.'/install/'; -print $langs->trans("CallUpdatePage", $fullurl).' '; +print str_replace('{s}', $fullurl, $langs->trans("CallUpdatePage", '{s}')).' '; print ''.$langs->trans("StepNb", 5).': '; print $langs->trans("RestoreLock", $dolibarrdataroot.'/install.lock').' '; @@ -133,8 +137,9 @@ print ' '; print $langs->trans("AddExtensionThemeModuleOrOther").' '; print ' '; - -print $langs->trans("GoModuleSetupArea", DOL_URL_ROOT.'/admin/modules.php?mode=deploy', $langs->transnoentities("Home").' - '.$langs->transnoentities("Setup").' - '.$langs->transnoentities("Modules")); +$texttoshow = $langs->trans("GoModuleSetupArea", DOL_URL_ROOT.'/admin/modules.php?mode=deploy', '{s2}'); +$texttoshow = str_replace('{s2}', img_picto('', 'tools', 'class="pictofixedwidth"').$langs->transnoentities("Home").' - '.$langs->transnoentities("Setup").' - '.$langs->transnoentities("Modules"), $texttoshow); +print $texttoshow; // End of page llxFooter(); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 333d4e2ded6..65b446727e5 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -195,7 +195,7 @@ class Commande extends CommonOrder /** * @var int Date expected for delivery - * @see delivery_date + * @see $delivery_date * @deprecated */ public $date_livraison; diff --git a/htdocs/compta/bank/card.php b/htdocs/compta/bank/card.php index ea9f7799849..d1cc0413bfd 100644 --- a/htdocs/compta/bank/card.php +++ b/htdocs/compta/bank/card.php @@ -212,7 +212,7 @@ if (empty($reshook)) { $object->ics = trim(GETPOST("ics", 'alpha')); $object->ics_transfer = trim(GETPOST("ics_transfer", 'alpha')); - $account_number = GETPOST('account_number', 'alpha'); + $account_number = GETPOST('account_number', 'alphanohtml'); if (empty($account_number) \|\| $account_number == '-1') { $object->account_number = ''; } else { @@ -754,13 +754,13 @@ if ($action == 'create') { print '
'.$langs->trans("ICS").'
'.$langs->trans("ICS").' ('.$langs->trans("StandingOrder").')	'.$object->ics.'
'.$langs->trans("ICSTransfer").'
'.$langs->trans("ICS").' ('.$langs->trans("BankTransfer").')	'.$object->ics_transfer.'

'.$langs->trans("ICS").'
'.$langs->trans("ICS").' ('.$langs->trans("StandingOrder").')
'.$langs->trans("ICSTransfer").'
'.$langs->trans("ICS").' ('.$langs->trans("BankTransfer").')
"; print $ligne->LibStatut($obj->statut, 2); print " "; - print ''; + print ''; print sprintf("%06s", $obj->rowid); print '	'; + print '	'; print price($obj->amount, 0, $langs, 0, 0, -1, $conf->currency); print '	'.$tva_static->getNomUrl(1).'	'; + print $tva_static->getNomUrl(1); + $filename = dol_sanitizeFileName($tva_static->ref); + $filedir = $conf->tax->dir_output.'/vat/'.dol_sanitizeFileName($tva_static->ref); + $urlsource = $_SERVER['PHP_SELF'].'?id='.$tva_static->id; + print $formfile->getDocumentsLink($tva_static->element, $filename, $filedir, '', 'valignmiddle paddingleft2imp'); + print '
' . $langs->trans("Amount") . '
' . $langs->trans("Amount") . '	' . price($object->amount, 0, $outputlangs, 1, -1, -1, $conf->currency) . '
' . $langs->trans("Amount") . '	' . price($object->amount, 0, $langs, 1, -1, -1, $conf->currency) . '
'.$langs->trans("Module").'	'; - print ''.$langs->trans("All").""; + print ''.$langs->trans("All").""; print '/'; - print ''.$langs->trans("None").""; + print ''.$langs->trans("None").""; print '		'.$langs->trans("Permissions").'	'.$langs->trans("ID").'
'; - print 'module.'&token='.newToken().'">'.$langs->trans("All").""; + print 'module.'&token='.newToken().'">'.$langs->trans("All").""; print '/'; - print 'module.'&token='.newToken().'">'.$langs->trans("None").""; + print 'module.'&token='.newToken().'">'.$langs->trans("None").""; print '
id.'">'; + print '	id.'&confirm=yes&token='.newToken().'">'; //print img_edit_remove($langs->trans("Remove")); print img_picto($langs->trans("Remove"), 'switch_on'); print '	id.'&token='.newToken().'">'; + print '	id.'&confirm=yes&token='.newToken().'">'; //print img_edit_add($langs->trans("Add")); print img_picto($langs->trans("Add"), 'switch_off'); print '	id.'&token='.newToken().'">'; + print '	id.'&confirm=yes&token='.newToken().'">'; //print img_edit_add($langs->trans("Add")); print img_picto($langs->trans("Add"), 'switch_off'); print '	'.$permlabel.'	'; + print $permlabel; + if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { + if (preg_match('/_advance$/', $obj->perms)) { + print ' ('.$langs->trans("AdvancedModeOnly").')'; + } + } + print '	'.$obj->id.'	'; + $htmltext = $langs->trans("ID").': '.$obj->id; + $htmltext .= ' '.$langs->trans("Permission").': user->rights->'.$obj->module.'->'.$obj->perms.($obj->subperms ? '->'.$obj->subperms : ''); + print $form->textwithpicto('', $htmltext); + //print ''.$obj->id.''; + print '
'; - //print img_object('', $picto, 'class="pictoobjectwidth"').' '.$objMod->getName(); + //print img_object('', $picto, 'class="inline-block pictoobjectwidth"').' '.$objMod->getName(); print '