diff --git a/main/inc/ajax/myspace.ajax.php b/main/inc/ajax/myspace.ajax.php
index 9f2c2d9341..0321346769 100755
--- a/main/inc/ajax/myspace.ajax.php
+++ b/main/inc/ajax/myspace.ajax.php
@@ -7,6 +7,14 @@
 require_once __DIR__.'/../global.inc.php';
 $action = $_GET['a'];
 
+// Access restrictions.
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() || api_is_course_tutor();
+
+if (!$is_allowedToTrack) {
+    exit;
+}
+
 switch ($action) {
     // At this date : 23/02/2017, a minor review can't determine where is used this case 'access_detail'
     case 'access_detail':
diff --git a/main/mySpace/access_details.php b/main/mySpace/access_details.php
index 74c105c8a2..dc2d77d169 100755
--- a/main/mySpace/access_details.php
+++ b/main/mySpace/access_details.php
@@ -18,6 +18,17 @@ require_once __DIR__.'/../inc/global.inc.php';
 
 api_block_anonymous_users();
 
+
+// Access restrictions.
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() || api_is_course_tutor();
+
+if (!$is_allowedToTrack) {
+    api_not_allowed(true);
+    exit;
+}
+
+
 // the section (for the tabs)
 $this_section = SECTION_TRACKING;
 
diff --git a/main/mySpace/myStudents.php b/main/mySpace/myStudents.php
index 776d9cbcc1..0c0832a4e9 100755
--- a/main/mySpace/myStudents.php
+++ b/main/mySpace/myStudents.php
@@ -74,6 +74,10 @@ if (!$allowedToTrackUser) {
     api_not_allowed(true);
 }
 
+if (api_is_student()) {
+    api_not_allowed(true);
+}
+
 $htmlHeadXtra[] = '<script>
 function show_image(image,width,height) {
 	width = parseInt(width) + 20;
@@ -236,23 +240,29 @@ switch ($action) {
         exit;
         break;
     case 'send_legal':
-        $subject = get_lang('SendLegalSubject');
-        $content = sprintf(
-            get_lang('SendTermsDescriptionToUrlX'),
-            api_get_path(WEB_PATH)
-        );
-        MessageManager::send_message_simple($student_id, $subject, $content);
-        Display::addFlash(Display::return_message(get_lang('Sent')));
+        $isBoss = UserManager::userIsBossOfStudent(api_get_user_id(), $student_id);
+        if ($isBoss || api_is_platform_admin()) {
+            $subject = get_lang('SendLegalSubject');
+            $content = sprintf(
+                get_lang('SendTermsDescriptionToUrlX'),
+                api_get_path(WEB_PATH)
+            );
+            MessageManager::send_message_simple($student_id, $subject, $content);
+            Display::addFlash(Display::return_message(get_lang('Sent')));
+        }
         break;
     case 'delete_legal':
-        $extraFieldValue = new ExtraFieldValue('user');
-        $value = $extraFieldValue->get_values_by_handler_and_field_variable(
-            $student_id,
-            'legal_accept'
-        );
-        $result = $extraFieldValue->delete($value['id']);
-        if ($result) {
-            Display::addFlash(Display::return_message(get_lang('Deleted')));
+        $isBoss = UserManager::userIsBossOfStudent(api_get_user_id(), $student_id);
+        if ($isBoss || api_is_platform_admin()) {
+            $extraFieldValue = new ExtraFieldValue('user');
+            $value = $extraFieldValue->get_values_by_handler_and_field_variable(
+                $student_id,
+                'legal_accept'
+            );
+            $result = $extraFieldValue->delete($value['id']);
+            if ($result) {
+                Display::addFlash(Display::return_message(get_lang('Deleted')));
+            }
         }
         break;
     case 'reset_lp':
diff --git a/main/mySpace/user_edit.php b/main/mySpace/user_edit.php
index 659617d44b..45da2eade7 100644
--- a/main/mySpace/user_edit.php
+++ b/main/mySpace/user_edit.php
@@ -17,11 +17,6 @@ if (!api_is_platform_admin()) {
     api_protect_admin_script();
 }
 
-// Database table definitions
-$table_admin = Database::get_main_table(TABLE_MAIN_ADMIN);
-$table_user = Database::get_main_table(TABLE_MAIN_USER);
-$database = Database::get_main_database();
-
 $userId = isset($_REQUEST['user_id']) ? intval($_REQUEST['user_id']) : '';
 
 $userInfo = api_get_user_info($userId);
@@ -60,7 +55,7 @@ if (api_drh_can_access_all_session_content()) {
         api_not_allowed(true);
     }
 } else {
-    if (!$userIsFollowed) {
+    if (!api_is_platform_admin() && !$userIsFollowed) {
         api_not_allowed(true);
     }
 }
diff --git a/main/social/vcard_export.php b/main/social/vcard_export.php
index f78b23cf40..134327a29c 100644
--- a/main/social/vcard_export.php
+++ b/main/social/vcard_export.php
@@ -14,6 +14,8 @@ require_once __DIR__.'/../inc/global.inc.php';
 
 api_block_anonymous_users();
 
+api_protect_admin_script();
+
 if (isset($_REQUEST['userId'])) {
     $userId = intval($_REQUEST['userId']);
 } else {
diff --git a/main/tracking/courseLog.php b/main/tracking/courseLog.php
index 5180577af2..b95eb8b682 100755
--- a/main/tracking/courseLog.php
+++ b/main/tracking/courseLog.php
@@ -380,7 +380,6 @@ if (count($a_students) > 0) {
 
     $all_datas = [];
     $course_code = $_course['id'];
-
     $user_ids = array_keys($a_students);
 
     $table = new SortableTable(
@@ -390,7 +389,7 @@ if (count($a_students) > 0) {
         (api_is_western_name_order() xor api_sort_by_first_name()) ? 3 : 2
     );
 
-    $parameters['cidReq'] = Security::remove_XSS($_GET['cidReq']);
+    $parameters['cidReq'] = isset($_GET['cidReq']) ? Security::remove_XSS($_GET['cidReq']) : '';
     $parameters['id_session'] = $session_id;
     $parameters['from'] = isset($_GET['myspace']) ? Security::remove_XSS($_GET['myspace']) : null;
 
diff --git a/main/tracking/course_log_tools.php b/main/tracking/course_log_tools.php
index b858bd236b..8b17ea4fbb 100755
--- a/main/tracking/course_log_tools.php
+++ b/main/tracking/course_log_tools.php
@@ -22,11 +22,12 @@ if ($from == 'myspace') {
 }
 
 // Access restrictions.
-$is_allowedToTrack = api_is_platform_admin() || api_is_allowed_to_create_course() ||
-    api_is_session_admin() || api_is_drh() || api_is_course_tutor();
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() ||
+    api_is_course_tutor();
 
 if (!$is_allowedToTrack) {
-    api_not_allowed();
+    api_not_allowed(true);
     exit;
 }