diff --git a/src/app/attachment/controllers/AttachmentController.php b/src/app/attachment/controllers/AttachmentController.php
index 7a9c799408fa74edf9920cf545e9914f1940581b..310708da3006ca9e9ac1e15d87f0c8090f635161 100755
--- a/src/app/attachment/controllers/AttachmentController.php
+++ b/src/app/attachment/controllers/AttachmentController.php
@@ -489,11 +489,15 @@ class AttachmentController
             return $response->withStatus(403)->withJson(['errors' => 'id param is not an integer']);
         }
 
-        $document = AttachmentModel::getById(['select' => [1], 'id' => $args['id']]);
+        $document = AttachmentModel::getById(['select' => ['res_id_master'], 'id' => $args['id']]);
         if (empty($document)) {
             return $response->withStatus(400)->withJson(['errors' => 'Document does not exist']);
         }
 
+        if (!ResController::hasRightByResId(['resId' => [$document['res_id_master']], 'userId' => $GLOBALS['id']])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+        }
+
         $docserver = DocserverModel::getByDocserverId(['docserverId' => 'TNL_ATTACH', 'select' => ['path_template']]);
         if (empty($docserver['path_template']) || !file_exists($docserver['path_template'])) {
             return $response->withStatus(400)->withJson(['errors' => 'Docserver does not exist']);
diff --git a/src/app/resource/controllers/ResController.php b/src/app/resource/controllers/ResController.php
index b744a1add45e007a5703f059c6771af666b89a9b..6e0d7097f2e5e008f31b855ffb210dd1cb6e1377 100755
--- a/src/app/resource/controllers/ResController.php
+++ b/src/app/resource/controllers/ResController.php
@@ -757,6 +757,10 @@ class ResController extends ResourceControlController
             return $response->withStatus(400)->withJson(['errors' => 'Document does not exist']);
         }
 
+        if (!ResController::hasRightByResId(['resId' => [$args['resId']], 'userId' => $GLOBALS['id']])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+        }
+
         $docserver = DocserverModel::getByDocserverId(['docserverId' => 'TNL_MLB', 'select' => ['path_template']]);
         if (empty($docserver['path_template']) || !file_exists($docserver['path_template'])) {
             return $response->withStatus(400)->withJson(['errors' => 'Docserver does not exist']);