diff --git a/htdocs/compta/bank/document.php b/htdocs/compta/bank/document.php
index 32bfe66f7d1..67a38e03cc6 100644
--- a/htdocs/compta/bank/document.php
+++ b/htdocs/compta/bank/document.php
@@ -52,8 +52,6 @@ if ($user->societe_id) {
 }
 if ($user->societe_id)
     $socid = $user->societe_id;
-$result = restrictedArea($user, 'banque', $fieldvalue, 'bank_account', '', '',
-        $fieldtype);
 
 // Get parameters
 $sortfield = GETPOST("sortfield", 'alpha');
@@ -69,8 +67,10 @@ if (!$sortfield)
     $sortfield = "name";
 
 $object = new Account($db);
-if ($id)
-    $object->fetch($id);
+if ($id > 0 || ! empty($ref)) $object->fetch($id, $ref);
+
+$result = restrictedArea($user, 'banque', $object->id, 'bank_account', '', '');
+
 
 /*
  * Actions
@@ -105,14 +105,14 @@ if ($id > 0 || !empty($ref)) {
 
 
         // Build file list
-        $filearray = dol_dir_list($upload_dir, "files", 0, '', '\.meta$',
-                $sortfield,
-                (strtolower($sortorder) == 'desc' ? SORT_DESC : SORT_ASC), 1);
+        $filearray = dol_dir_list($upload_dir, "files", 0, '', '\.meta$', $sortfield, (strtolower($sortorder) == 'desc' ? SORT_DESC : SORT_ASC), 1);
         $totalsize = 0;
         foreach ($filearray as $key => $file) {
             $totalsize+=$file['size'];
         }
 
+        $morehtmlref = '';
+
         $linkback = '<a href="'.DOL_URL_ROOT.'/compta/bank/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
 
         dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php
index 72aa4bc4265..9ba90d00e62 100644
--- a/htdocs/core/class/conf.class.php
+++ b/htdocs/core/class/conf.class.php
@@ -353,6 +353,12 @@ class Conf
 		$this->propal->dir_output=$rootfordata."/propale";
 		$this->propal->dir_temp=$rootfordata."/propale/temp";
 
+		// For backward compatibility
+		$this->banque->multidir_output	= array($this->entity => $rootfordata."/bank");
+		$this->banque->multidir_temp	= array($this->entity => $rootfordata."/bank/temp");
+		$this->banque->dir_output=$rootfordata."/bank";
+		$this->banque->dir_temp=$rootfordata."/bank/temp";
+
 		// For medias storage
 		$this->medias->multidir_output	= array($this->entity => $rootfordata."/medias");
 		$this->medias->multidir_temp	= array($this->entity => $rootfordata."/medias/temp");
diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php
index 82bfe17bf69..d231dacab87 100644
--- a/htdocs/core/class/html.formfile.class.php
+++ b/htdocs/core/class/html.formfile.class.php
@@ -1078,10 +1078,11 @@ class FormFile
 	 *  @param   string $sortorder          Sort order ('ASC' or 'DESC')
 	 *  @param   int    $disablemove        1=Disable move button, 0=Position move is possible.
 	 *  @param	 int	$addfilterfields	Add line with filters
+	 *  @param	 int	$disablecrop		Disable crop feature on images (-1 = auto, prefer to set it explicitely to 0 or 1)
 	 * 	@return	 int						<0 if KO, nb of files shown if OK
 	 *  @see list_of_autoecmfiles()
 	 */
-	public function list_of_documents($filearray, $object, $modulepart, $param = '', $forcedownload = 0, $relativepath = '', $permonobject = 1, $useinecm = 0, $textifempty = '', $maxlength = 0, $title = '', $url = '', $showrelpart = 0, $permtoeditline = -1, $upload_dir = '', $sortfield = '', $sortorder = 'ASC', $disablemove = 1, $addfilterfields = 0)
+	public function list_of_documents($filearray, $object, $modulepart, $param = '', $forcedownload = 0, $relativepath = '', $permonobject = 1, $useinecm = 0, $textifempty = '', $maxlength = 0, $title = '', $url = '', $showrelpart = 0, $permtoeditline = -1, $upload_dir = '', $sortfield = '', $sortorder = 'ASC', $disablemove = 1, $addfilterfields = 0, $disablecrop = -1)
 	{
         // phpcs:enable
 		global $user, $conf, $langs, $hookmanager;
@@ -1089,8 +1090,11 @@ class FormFile
 		global $dolibarr_main_url_root;
 		global $form;
 
-		$disablecrop=1;
-		if (in_array($modulepart, array('bom','expensereport','holiday','member','project','product','produit','service','societe','tax','ticket','user'))) $disablecrop=0;
+		if ($disablecrop == -1)
+		{
+			$disablecrop=1;
+			if (in_array($modulepart, array('bank','bom','expensereport','holiday','member','project','product','produit','service','societe','tax','ticket','user'))) $disablecrop=0;
+		}
 
 		// Define relative path used to store the file
 		if (empty($relativepath))
diff --git a/htdocs/core/photos_resize.php b/htdocs/core/photos_resize.php
index 3bb59685449..826ed5fdd45 100644
--- a/htdocs/core/photos_resize.php
+++ b/htdocs/core/photos_resize.php
@@ -55,22 +55,10 @@ elseif ($modulepart == 'project')
 }
 elseif ($modulepart == 'bom')
 {
-	$result=restrictedArea($user, 'bom', $id, 'bom_bom');
+	$result=restrictedArea($user, $modulepart, $id, 'bom_bom');
 	if (! $user->rights->bom->read) accessforbidden();
 	$accessallowed=1;
 }
-elseif ($modulepart == 'expensereport')
-{
-	$result=restrictedArea($user, 'expensereport', $id, 'expensereport');
-	if (! $user->rights->expensereport->lire) accessforbidden();
-	$accessallowed=1;
-}
-elseif ($modulepart == 'holiday')
-{
-	$result=restrictedArea($user, 'holiday', $id, 'holiday');
-	if (! $user->rights->holiday->read) accessforbidden();
-	$accessallowed=1;
-}
 elseif ($modulepart == 'member')
 {
 	$result=restrictedArea($user, 'adherent', $id, '', '', 'fk_soc', 'rowid');
@@ -79,26 +67,26 @@ elseif ($modulepart == 'member')
 }
 elseif ($modulepart == 'user')
 {
-	$result=restrictedArea($user, 'user', $id, 'user');
+	$result=restrictedArea($user, $modulepart, $id, $modulepart);
 	if (! $user->rights->user->user->lire) accessforbidden();
 	$accessallowed=1;
 }
-elseif ($modulepart == 'societe')
-{
-	$result=restrictedArea($user, 'societe', $id, 'societe');
-	if (! $user->rights->societe->lire) accessforbidden();
-	$accessallowed=1;
-}
 elseif ($modulepart == 'tax')
 {
-	$result=restrictedArea($user, 'tax', $id, 'chargesociales', 'charges');
+	$result=restrictedArea($user, $modulepart, $id, 'chargesociales', 'charges');
 	if (! $user->rights->tax->charges->lire) accessforbidden();
 	$accessallowed=1;
 }
-elseif ($modulepart == 'ticket')
+elseif ($modulepart == 'bank')
 {
-	$result=restrictedArea($user, 'ticket', $id, 'ticket');
-	if (! $user->rights->ticket->read) accessforbidden();
+	$result=restrictedArea($user, 'banque', $id, 'bank_account');
+	if (! $user->rights->banque->lire) accessforbidden();
+	$accessallowed=1;
+}
+else	// ticket, holiday, expensereport, societe...
+{
+	$result=restrictedArea($user, $modulepart, $id, $modulepart);
+	if (empty($user->rights->$modulepart->read) && empty($user->rights->$modulepart->lire)) accessforbidden();
 	$accessallowed=1;
 }
 
@@ -142,7 +130,7 @@ elseif ($modulepart == 'holiday')
 	{
 		$result = $object->fetch($id);
 		if ($result <= 0) dol_print_error($db, 'Failed to load object');
-		$dir=$conf->holiday->dir_output;	// By default
+		$dir=$conf->$modulepart->dir_output;	// By default
 	}
 }
 elseif ($modulepart == 'member')
@@ -164,7 +152,7 @@ elseif ($modulepart == 'societe')
     {
         $result = $object->fetch($id);
         if ($result <= 0) dol_print_error($db, 'Failed to load object');
-        $dir=$conf->societe->dir_output;
+        $dir=$conf->$modulepart->dir_output;
     }
 }
 elseif ($modulepart == 'user')
@@ -175,7 +163,7 @@ elseif ($modulepart == 'user')
     {
         $result = $object->fetch($id);
         if ($result <= 0) dol_print_error($db, 'Failed to load object');
-        $dir=$conf->user->dir_output;	// By default
+        $dir=$conf->$modulepart->dir_output;	// By default
     }
 }
 elseif ($modulepart == 'expensereport')
@@ -197,7 +185,7 @@ elseif ($modulepart == 'tax')
 	{
 		$result = $object->fetch($id);
 		if ($result <= 0) dol_print_error($db, 'Failed to load object');
-		$dir=$conf->tax->dir_output;	// By default
+		$dir=$conf->$modulepart->dir_output;	// By default
 	}
 }
 elseif ($modulepart == 'ticket')
@@ -208,7 +196,7 @@ elseif ($modulepart == 'ticket')
 	{
 		$result = $object->fetch($id);
 		if ($result <= 0) dol_print_error($db, 'Failed to load object');
-		$dir=$conf->ticket->dir_output;	// By default
+		$dir=$conf->$modulepart->dir_output;	// By default
 	}
 }
 elseif ($modulepart == 'bom')
@@ -219,7 +207,18 @@ elseif ($modulepart == 'bom')
 	{
 		$result = $object->fetch($id);
 		if ($result <= 0) dol_print_error($db, 'Failed to load object');
-		$dir=$conf->bom->dir_output;	// By default
+		$dir=$conf->$modulepart->dir_output;	// By default
+	}
+}
+elseif ($modulepart == 'bank')
+{
+	require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
+	$object = new Account($db);
+	if ($id > 0)
+	{
+		$result = $object->fetch($id);
+		if ($result <= 0) dol_print_error($db, 'Failed to load object');
+		$dir=$conf->banque->dir_output;	// By default
 	}
 }
 else {
@@ -237,6 +236,7 @@ if (empty($backtourl))
     elseif (in_array($modulepart, array('tax')))           $backtourl=DOL_URL_ROOT."/compta/sociales/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
     elseif (in_array($modulepart, array('ticket')))        $backtourl=DOL_URL_ROOT."/ticket/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
     elseif (in_array($modulepart, array('user')))          $backtourl=DOL_URL_ROOT."/user/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
+    elseif (in_array($modulepart, array('bank')))          $backtourl=DOL_URL_ROOT."/compta/bank/document.php?id=".$id.'&file='.urldecode($_POST["file"]);
     else $backtourl=DOL_URL_ROOT."/".$modulepart."/".$modulepart."_document.php?id=".$id.'&file='.urldecode($_POST["file"]);
 }
 
@@ -422,6 +422,7 @@ print '<br>'."\n";
 
 print '<!-- Form to resize -->'."\n";
 print '<form name="redim_file" action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" method="POST">';
+print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 
 print '<fieldset id="redim_file">';
 print '<legend>'.$langs->trans("Resize").'</legend>';
@@ -472,7 +473,9 @@ if (! empty($conf->use_javascript_ajax))
 	print '<img src="'.DOL_URL_ROOT.'/viewimage.php?modulepart='.$modulepart.'&entity='.$object->entity.'&file='.urlencode($original_file).'" alt="" id="cropbox" width="'.$widthforcrop.'px"/>';
 	print '</div>';
 	print '</div><br>';
-	print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" method="POST">
+	print '<form action="'.$_SERVER["PHP_SELF"].'?id='.$id.'" method="POST">';
+	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+	print '
 	      <div class="jc_coords">
 	         '.$langs->trans("NewSizeAfterCropping").':
 	         <label>X1 <input type="number" class="flat maxwidth50" id="x" name="x" /></label>
diff --git a/htdocs/modulebuilder/template/myobject_document.php b/htdocs/modulebuilder/template/myobject_document.php
index 5e40b12a076..8deb44b9009 100644
--- a/htdocs/modulebuilder/template/myobject_document.php
+++ b/htdocs/modulebuilder/template/myobject_document.php
@@ -53,11 +53,6 @@ $confirm=GETPOST('confirm');
 $id=(GETPOST('socid', 'int') ? GETPOST('socid', 'int') : GETPOST('id', 'int'));
 $ref = GETPOST('ref', 'alpha');
 
-// Security check - Protection if external user
-//if ($user->societe_id > 0) access_forbidden();
-//if ($user->societe_id > 0) $socid = $user->societe_id;
-//$result = restrictedArea($user, 'mymodule', $id);
-
 // Get parameters
 $sortfield = GETPOST("sortfield", 'alpha');
 $sortorder = GETPOST("sortorder", 'alpha');
@@ -84,6 +79,12 @@ include DOL_DOCUMENT_ROOT.'/core/actions_fetchobject.inc.php';  // Must be inclu
 //if ($id > 0 || ! empty($ref)) $upload_dir = $conf->mymodule->multidir_output[$object->entity?$object->entity:$conf->entity] . "/myobject/" . dol_sanitizeFileName($object->id);
 if ($id > 0 || ! empty($ref)) $upload_dir = $conf->mymodule->multidir_output[$object->entity?$object->entity:$conf->entity] . "/myobject/" . dol_sanitizeFileName($object->ref);
 
+// Security check - Protection if external user
+//if ($user->societe_id > 0) access_forbidden();
+//if ($user->societe_id > 0) $socid = $user->societe_id;
+//$result = restrictedArea($user, 'mymodule', $object->id);
+
+
 
 /*
  * Actions