diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php
index 5db0da25635..41c8dcbd198 100644
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -464,7 +464,7 @@ if ($resql)
 		print '<tr class="oddeven">';
 		print '<td class="tdoverflowmax300">'.$obj->name.'</td>'."\n";
 		print '<td class="tdoverflowmax300">';
-		if (preg_match('/(_pass|password|_pw|_key|securekey|serverkey|secret\d?|p12key|exportkey|_PW_[a-z]+|token)$/i', $obj->name)) {
+		if (isASecretKey($obj->name)) {
 			if (empty($dolibarr_main_prod)) {
 				print '<!-- '.$obj->value.' -->';
 			}
diff --git a/htdocs/api/class/api_login.class.php b/htdocs/api/class/api_login.class.php
index 078d631aa3d..8627808a679 100644
--- a/htdocs/api/class/api_login.class.php
+++ b/htdocs/api/class/api_login.class.php
@@ -40,7 +40,7 @@ class Login
 	 *
 	 * Request the API token for a couple username / password.
 	 * Using method POST is recommanded for security reasons (method GET is often logged by default by web servers with parameters so with login and pass into server log file).
-	 * Both methods are provided for developer conveniance. Best is to not use at all the login API method and enter directly the "DOLAPIKEY" into field at the top right of page. Note: The API key (DOLAPIKEY) can be found/set on the user page.
+	 * Both methods are provided for developer conveniance. Best is to not use at all the login API method and enter directly the "DOLAPIKEY" into field at the top right of page. Note: The API token (DOLAPIKEY) can be found/set on the user page.
 	 *
 	 * @param   string  $login			User login
 	 * @param   string  $password		User password
diff --git a/htdocs/api/class/api_setup.class.php b/htdocs/api/class/api_setup.class.php
index f0812262e4b..fbe5e7b1872 100644
--- a/htdocs/api/class/api_setup.class.php
+++ b/htdocs/api/class/api_setup.class.php
@@ -66,6 +66,10 @@ class Setup extends DolibarrApi
     {
         $list = array();
 
+        if (!DolibarrApiAccess::$user->rights->commande->lire) {
+        	throw new RestException(401);
+        }
+
         $sql = "SELECT rowid, code, libelle as label, module";
         $sql .= " FROM ".MAIN_DB_PREFIX."c_input_method as t";
         $sql .= " WHERE t.active = ".$active;
@@ -127,6 +131,10 @@ class Setup extends DolibarrApi
     {
         $list = array();
 
+        if (!DolibarrApiAccess::$user->rights->propal->lire && !DolibarrApiAccess::$user->rights->commande->lire && !DolibarrApiAccess::$user->rights->facture->lire) {
+        	throw new RestException(401);
+        }
+
         $sql = "SELECT id, code, type, libelle as label, module";
         $sql .= " FROM ".MAIN_DB_PREFIX."c_paiement as t";
         $sql .= " WHERE t.entity IN (".getEntity('c_paiement').")";
@@ -468,6 +476,10 @@ class Setup extends DolibarrApi
     {
         $list = array();
 
+        if (!DolibarrApiAccess::$user->rights->commande->lire) {
+        	throw new RestException(401);
+        }
+
         $sql = "SELECT rowid, code, label";
         $sql .= " FROM ".MAIN_DB_PREFIX."c_availability as t";
         $sql .= " WHERE t.active = ".$active;
@@ -960,6 +972,10 @@ class Setup extends DolibarrApi
     {
         $list = array();
 
+        if (!DolibarrApiAccess::$user->admin) {
+        	throw new RestException(401, 'Only an admin user can get list of extrafields');
+        }
+
         if ($type == 'thirdparty') $type = 'societe';
         if ($type == 'contact') $type = 'socpeople';
 
@@ -1100,6 +1116,10 @@ class Setup extends DolibarrApi
     {
         $list = array();
 
+        if (!DolibarrApiAccess::$user->rights->propal->lire && !DolibarrApiAccess::$user->rights->commande->lire && !DolibarrApiAccess::$user->rights->facture->lire) {
+        	throw new RestException(401);
+        }
+
         $sql = "SELECT rowid as id, code, sortorder, libelle as label, libelle_facture as descr, type_cdr, nbjour, decalage, module";
         $sql .= " FROM ".MAIN_DB_PREFIX."c_payment_term as t";
         $sql .= " WHERE t.entity IN (".getEntity('c_payment_term').")";
@@ -1545,15 +1565,15 @@ class Setup extends DolibarrApi
     	global $conf;
 
     	if (!DolibarrApiAccess::$user->admin
-    		&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_ADMIN_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_ADMIN_CHECK)) {
-    		throw new RestException(403, 'Error API open to admin users only or to the login user defined with constant API_LOGIN_ALLOWED_FOR_ADMIN_CHECK');
+    		&& (empty($conf->global->API_LOGINS_ALLOWED_FOR_CONST_READ) || DolibarrApiAccess::$user->login != $conf->global->API_LOGINS_ALLOWED_FOR_CONST_READ)) {
+    		throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGINS_ALLOWED_FOR_CONST_READ');
     	}
 
     	if (!preg_match('/^[a-zA-Z0-9_]+$/', $constantname) || !isset($conf->global->$constantname)) {
     		throw new RestException(404, 'Error Bad or unknown value for constantname');
     	}
-    	if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $constantname)) {
-    		throw new RestException(403, 'Forbidden');
+    	if (isASecretKey($constantname)) {
+    		throw new RestException(403, 'Forbidden. This parameter cant be read with APIs');
     	}
 
     	return $conf->global->$constantname;
@@ -1578,7 +1598,7 @@ class Setup extends DolibarrApi
     	if (!DolibarrApiAccess::$user->admin
     		&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK))
     	{
-    		throw new RestException(503, 'Error API open to admin users only or to the login user defined with constant API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK');
+    		throw new RestException(503, 'Error API open to admin users only or to the users with logins defined into constant API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK');
     	}
 
     	require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
diff --git a/htdocs/core/class/commondocgenerator.class.php b/htdocs/core/class/commondocgenerator.class.php
index 54f14c25cab..f25a0694f7d 100644
--- a/htdocs/core/class/commondocgenerator.class.php
+++ b/htdocs/core/class/commondocgenerator.class.php
@@ -325,7 +325,7 @@ abstract class CommonDocGenerator
 
     	foreach ($conf->global as $key => $val)
     	{
-    		if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $key)) $newval = '*****forbidden*****';
+    		if (isASecretKey($key)) $newval = '*****forbidden*****';
     		else $newval = $val;
     		$array_other['__['.$key.']__'] = $newval;
     	}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 3af3f7c2562..bdd6b0c976d 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -118,6 +118,17 @@ function setEntity($currentobject)
 	}
 }
 
+/**
+ * 	Return if string has a name dedicated to store a secret
+ *
+ * 	@param	string	$keyname	Name of key to test
+ * 	@return	boolean				True if key is used to store a secret
+ */
+function isASecretKey($keyname)
+{
+	return preg_match('/(_pass|password|_pw|_key|securekey|serverkey|secret\d?|p12key|exportkey|_PW_[a-z]+|token)$/i', $keyname);
+}
+
 /**
  * Return information about user browser
  *
@@ -6452,7 +6463,7 @@ function make_substitutions($text, $substitutionarray, $outputlangs = null)
 		if (dol_textishtml($text, 1)) $msgishtml = 1;
 
 		$keyfound = $reg[1];
-		if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $keyfound)) $newval = '*****forbidden*****';
+		if (isASecretKey($keyfound)) $newval = '*****forbidden*****';
 		else $newval = empty($conf->global->$keyfound) ? '' : $conf->global->$keyfound;
 		$text = preg_replace('/__\['.preg_quote($keyfound, '/').'\]__/', $msgishtml ?dol_htmlentitiesbr($newval) : $newval, $text);
 	}