diff --git a/apps/maarch_entreprise/xml/onlyOfficeConfig.xml.default b/apps/maarch_entreprise/xml/onlyOfficeConfig.xml.default
new file mode 100644
index 0000000000000000000000000000000000000000..0a117994ef0d5d4a7bda9af3275b74c0c85db14d
--- /dev/null
+++ b/apps/maarch_entreprise/xml/onlyOfficeConfig.xml.default
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ROOT>
+    <ENABLED>true</ENABLED>
+    <URI>127.0.0.1</URI>
+</ROOT>
diff --git a/rest/index.php b/rest/index.php
index d1d3cb861434d2974274cc7cd01f1724742e062e..8952c064b54f12107c6be83844795a430ed90859 100755
--- a/rest/index.php
+++ b/rest/index.php
@@ -29,7 +29,7 @@ $app = new \Slim\App(['settings' => ['displayErrorDetails' => true, 'determineRo
 
 //Authentication
 $app->add(function (\Slim\Http\Request $request, \Slim\Http\Response $response, callable $next) {
-    $routesWithoutAuthentication = ['GET/jnlp/{jnlpUniqueId}', 'POST/password', 'PUT/password', 'GET/passwordRules'];
+    $routesWithoutAuthentication = ['GET/jnlp/{jnlpUniqueId}', 'POST/password', 'PUT/password', 'GET/passwordRules', 'GET/onlyOffice/mergedFile'];
     $route = $request->getAttribute('route');
     $currentMethod = empty($route) ? '' : $route->getMethods()[0];
     $currentRoute = empty($route) ? '' : $route->getPattern();
@@ -132,6 +132,17 @@ $app->put('/contactsParameters', \Contact\controllers\ContactController::class .
 $app->post('/convertedFile', \Convert\controllers\ConvertPdfController::class . ':convertedFile');
 $app->get('/convertedFile/{filename}', \Convert\controllers\ConvertPdfController::class . ':getConvertedFileByFilename');
 
+//ContentManagement
+$app->get('/test', \ContentManagement\controllers\JnlpController::class . ':test'); //TODO
+$app->post('/jnlp', \ContentManagement\controllers\JnlpController::class . ':generateJnlp');
+$app->get('/jnlp/{jnlpUniqueId}', \ContentManagement\controllers\JnlpController::class . ':renderJnlp');
+$app->post('/jnlp/{jnlpUniqueId}', \ContentManagement\controllers\JnlpController::class . ':processJnlp');
+$app->get('/jnlp/lock/{jnlpUniqueId}', \ContentManagement\controllers\JnlpController::class . ':isLockFileExisting');
+$app->get('/onlyOffice/configuration', \ContentManagement\controllers\OnlyOfficeController::class . ':getConfiguration');
+$app->post('/onlyOffice/mergedFile', \ContentManagement\controllers\OnlyOfficeController::class . ':saveMergedFile');
+$app->get('/onlyOffice/mergedFile', \ContentManagement\controllers\OnlyOfficeController::class . ':getMergedFile');
+$app->get('/onlyOffice/encodedFile', \ContentManagement\controllers\OnlyOfficeController::class . ':getEncodedFileFromUrl');
+
 //CustomFields
 $app->get('/customFields', \CustomField\controllers\CustomFieldController::class . ':get');
 $app->post('/customFields', \CustomField\controllers\CustomFieldController::class . ':create');
@@ -255,16 +266,6 @@ $app->put('/indexingModels/{id}/disable', \IndexingModel\controllers\IndexingMod
 $app->put('/indexingModels/{id}/enable', \IndexingModel\controllers\IndexingModelController::class . ':enable');
 $app->delete('/indexingModels/{id}', \IndexingModel\controllers\IndexingModelController::class . ':delete');
 
-//ContentManagement
-$app->post('/jnlp', \ContentManagement\controllers\JnlpController::class . ':generateJnlp');
-$app->post('/test', \ContentManagement\controllers\JnlpController::class . ':test');
-$app->get('/jnlp/{jnlpUniqueId}', \ContentManagement\controllers\JnlpController::class . ':renderJnlp');
-$app->post('/jnlp/{jnlpUniqueId}', \ContentManagement\controllers\JnlpController::class . ':processJnlp');
-$app->get('/jnlp/lock/{jnlpUniqueId}', \ContentManagement\controllers\JnlpController::class . ':isLockFileExisting');
-$app->post('/onlyOffice/mergedFile', \ContentManagement\controllers\OnlyOfficeController::class . ':saveMergedFile');
-$app->get('/onlyOffice/mergedFile', \ContentManagement\controllers\OnlyOfficeController::class . ':getMergedFile');
-$app->get('/onlyOffice/encodedFile', \ContentManagement\controllers\OnlyOfficeController::class . ':getEncodedFileFromUrl');
-
 //Links
 $app->get('/links/resId/{resId}', \Link\controllers\LinkController::class . ':getByResId');
 
diff --git a/src/app/contentManagement/controllers/OnlyOfficeController.php b/src/app/contentManagement/controllers/OnlyOfficeController.php
index 9259e50f232e990a96f9230786b0f827cfd0d374..4715041cc4d6c3153d5033fe78b867167c3fd9be 100644
--- a/src/app/contentManagement/controllers/OnlyOfficeController.php
+++ b/src/app/contentManagement/controllers/OnlyOfficeController.php
@@ -24,6 +24,20 @@ use Template\models\TemplateModel;
 
 class OnlyOfficeController
 {
+    public static function getConfiguration(Request $request, Response $response)
+    {
+        $loadedXml = CoreConfigModel::getXmlLoaded(['path' => 'apps/maarch_entreprise/xml/onlyOfficeConfig.xml']);
+
+        if (empty($loadedXml) || empty($loadedXml->enabled) || $loadedXml->enabled == 'false') {
+            return $response->withJson(['enabled' => false]);
+        }
+        if (empty($loadedXml->URI)) {
+            return $response->withStatus(400)->withJson(['errors' => 'onlyOfficeConfig : URI is empty']);
+        }
+
+        return $response->withJson(['enabled' => true, 'uri' => $loadedXml->URI]);
+    }
+
     public static function saveMergedFile(Request $request, Response $response)
     {
         $body = $request->getParsedBody();
@@ -94,6 +108,8 @@ class OnlyOfficeController
 
         if (!Validator::stringType()->notEmpty()->validate($queryParams['filename'])) {
             return $response->withStatus(400)->withJson(['errors' => 'Query params filename is empty']);
+        } elseif (substr_count($queryParams['filename'], '\\') > 0 || substr_count($queryParams['filename'], '.') != 1) {
+            return $response->withStatus(400)->withJson(['errors' => 'Query params filename forbidden']);
         }
 
         $tmpPath = CoreConfigModel::getTmpPath();
@@ -107,6 +123,7 @@ class OnlyOfficeController
         $finfo    = new \finfo(FILEINFO_MIME_TYPE);
         $mimeType = $finfo->buffer($fileContent);
         $extension = pathinfo($tmpPath . $filename, PATHINFO_EXTENSION);
+        unlink($tmpPath . $filename);
 
         $response->write($fileContent);
         $response = $response->withAddedHeader('Content-Disposition', "attachment; filename=maarch.{$extension}");
diff --git a/test/unitTests/app/user/UserControllerTest.php b/test/unitTests/app/user/UserControllerTest.php
index b82ff205c262e1c6bc9669f2523eeff51774243a..8fef34b89b906275e158ea8bc5229ebd005687c7 100755
--- a/test/unitTests/app/user/UserControllerTest.php
+++ b/test/unitTests/app/user/UserControllerTest.php
@@ -753,7 +753,7 @@ class UserControllerTest extends TestCase
 
         $this->assertSame('superadmin', $responseBody->user_id);
         $this->assertSame('Super', $responseBody->firstname);
-        $this->assertSame('Admin', $responseBody->lastname);
+        $this->assertSame('ADMIN', $responseBody->lastname);
         $this->assertSame('dev@maarch.org', $responseBody->mail);
         $this->assertSame('SU', $responseBody->initials);
     }