diff --git a/addons/account/account_move_line.py b/addons/account/account_move_line.py
index bbe70b3881e..772af55414e 100644
--- a/addons/account/account_move_line.py
+++ b/addons/account/account_move_line.py
@@ -190,11 +190,11 @@ class account_move_line(osv.osv):
     def create_analytic_lines(self, cr, uid, ids, context=None):
         acc_ana_line_obj = self.pool.get('account.analytic.line')
         for obj_line in self.browse(cr, uid, ids, context=context):
+            if obj_line.analytic_lines:
+                acc_ana_line_obj.unlink(cr,uid,[obj.id for obj in obj_line.analytic_lines])
             if obj_line.analytic_account_id:
                 if not obj_line.journal_id.analytic_journal_id:
                     raise osv.except_osv(_('No Analytic Journal!'),_("You have to define an analytic journal on the '%s' journal!") % (obj_line.journal_id.name, ))
-                if obj_line.analytic_lines:
-                    acc_ana_line_obj.unlink(cr,uid,[obj.id for obj in obj_line.analytic_lines])
                 vals_line = self._prepare_analytic_line(cr, uid, obj_line, context=context)
                 acc_ana_line_obj.create(cr, uid, vals_line)
         return True
diff --git a/addons/account/wizard/account_fiscalyear_close_state.py b/addons/account/wizard/account_fiscalyear_close_state.py
index ed84ab65184..05bf3896e78 100644
--- a/addons/account/wizard/account_fiscalyear_close_state.py
+++ b/addons/account/wizard/account_fiscalyear_close_state.py
@@ -41,9 +41,15 @@ class account_fiscalyear_close_state(osv.osv_memory):
         @param ids: List of Account fiscalyear close state’s IDs
 
         """
+        account_move_obj = self.pool.get('account.move')
+
         for data in  self.read(cr, uid, ids, context=context):
             fy_id = data['fy_id'][0]
 
+            account_move_ids = account_move_obj.search(cr, uid, [('period_id.fiscalyear_id', '=', fy_id), ('state', '=', "draft")], context=context)
+            if account_move_ids:
+                raise osv.except_osv(_('Invalid Action!'), _('In order to close a fiscalyear, you must first post related journal entries.'))
+
             cr.execute('UPDATE account_journal_period ' \
                         'SET state = %s ' \
                         'WHERE period_id IN (SELECT id FROM account_period \
diff --git a/addons/account_analytic_analysis/account_analytic_analysis.py b/addons/account_analytic_analysis/account_analytic_analysis.py
index 973206bfef6..b61bb29b253 100644
--- a/addons/account_analytic_analysis/account_analytic_analysis.py
+++ b/addons/account_analytic_analysis/account_analytic_analysis.py
@@ -272,9 +272,13 @@ class account_analytic_account(osv.osv):
         if child_ids:
             #Search all invoice lines not in cancelled state that refer to this analytic account
             inv_line_obj = self.pool.get("account.invoice.line")
-            inv_lines = inv_line_obj.search(cr, uid, ['&', ('account_analytic_id', 'in', child_ids), ('invoice_id.state', '!=', 'cancel')], context=context)
+            inv_lines = inv_line_obj.search(cr, uid, ['&', ('account_analytic_id', 'in', child_ids), ('invoice_id.state', 'not in', ['draft', 'cancel']), ('invoice_id.type', 'in', ['out_invoice', 'out_refund'])], context=context)
             for line in inv_line_obj.browse(cr, uid, inv_lines, context=context):
-                res[line.account_analytic_id.id] += line.price_subtotal
+                if line.invoice_id.type == 'out_refund':
+                    res[line.account_analytic_id.id] -= line.price_subtotal
+                else:
+                    res[line.account_analytic_id.id] += line.price_subtotal
+
         for acc in self.browse(cr, uid, res.keys(), context=context):
             res[acc.id] = res[acc.id] - (acc.timesheet_ca_invoiced or 0.0)
 
@@ -372,11 +376,14 @@ class account_analytic_account(osv.osv):
         inv_ids = []
         for account in self.browse(cr, uid, ids, context=context):
             res[account.id] = 0.0
-            line_ids = lines_obj.search(cr, uid, [('account_id','=', account.id), ('invoice_id','!=',False), ('to_invoice','!=', False), ('journal_id.type', '=', 'general')], context=context)
+            line_ids = lines_obj.search(cr, uid, [('account_id','=', account.id), ('invoice_id','!=',False), ('to_invoice','!=', False), ('journal_id.type', '=', 'general'), ('invoice_id.type', 'in', ['out_invoice', 'out_refund'])], context=context)
             for line in lines_obj.browse(cr, uid, line_ids, context=context):
                 if line.invoice_id not in inv_ids:
                     inv_ids.append(line.invoice_id)
-                    res[account.id] += line.invoice_id.amount_untaxed
+                    if line.invoice_id.type == 'out_refund':
+                        res[account.id] -= line.invoice_id.amount_untaxed
+                    else:
+                        res[account.id] += line.invoice_id.amount_untaxed
         return res
 
     def _remaining_ca_calc(self, cr, uid, ids, name, arg, context=None):
diff --git a/addons/auth_oauth/__openerp__.py b/addons/auth_oauth/__openerp__.py
index 76f15687eb9..61c1c8c5d92 100644
--- a/addons/auth_oauth/__openerp__.py
+++ b/addons/auth_oauth/__openerp__.py
@@ -38,6 +38,7 @@ Allow users to login through OAuth2 Provider.
         'auth_oauth_data.yml',
         'auth_oauth_view.xml',
         'security/ir.model.access.csv',
+        'res_config.xml',
         'views/auth_oauth_login.xml',
     ],
     'installable': True,
diff --git a/addons/auth_oauth/res_config.py b/addons/auth_oauth/res_config.py
index 82d79c767f5..de5f1a74b2d 100644
--- a/addons/auth_oauth/res_config.py
+++ b/addons/auth_oauth/res_config.py
@@ -34,6 +34,11 @@ class base_config_settings(osv.TransientModel):
         'auth_oauth_facebook_client_id' : fields.char('Client ID'),
     }
 
+    def default_get(self, cr, uid, fields, context=None):
+        res = super(base_config_settings, self).default_get(cr, uid, fields, context=context)
+        res.update(self.get_oauth_providers(cr, uid, fields, context=context))
+        return res
+
     def get_oauth_providers(self, cr, uid, fields, context=None):
         google_id = self.pool.get('ir.model.data').get_object_reference(cr, uid, 'auth_oauth', 'provider_google')[1]
         facebook_id = self.pool.get('ir.model.data').get_object_reference(cr, uid, 'auth_oauth', 'provider_facebook')[1]
diff --git a/addons/product/product.py b/addons/product/product.py
index 25368e8f0c7..dd117e41d63 100644
--- a/addons/product/product.py
+++ b/addons/product/product.py
@@ -739,6 +739,10 @@ class product_product(osv.osv):
             return (d['id'], name)
 
         partner_id = context.get('partner_id', False)
+        if partner_id:
+            partner_ids = [partner_id, self.pool['res.partner'].browse(cr, user, partner_id, context=context).commercial_partner_id.id]
+        else:
+            partner_ids = []
 
         # all user don't have access to seller and partner
         # check access and use superuser
@@ -747,7 +751,7 @@ class product_product(osv.osv):
 
         result = []
         for product in self.browse(cr, SUPERUSER_ID, ids, context=context):
-            sellers = filter(lambda x: x.name.id == partner_id, product.seller_ids)
+            sellers = partner_ids and filter(lambda x: x.name.id in partner_ids, product.seller_ids) or []
             if sellers:
                 for s in sellers:
                     mydict = {
diff --git a/openerp/addons/base/ir/ir_attachment.py b/openerp/addons/base/ir/ir_attachment.py
index d9ad724e7f0..caa8db15a5e 100644
--- a/openerp/addons/base/ir/ir_attachment.py
+++ b/openerp/addons/base/ir/ir_attachment.py
@@ -28,6 +28,8 @@ import re
 from openerp import tools
 from openerp.osv import fields,osv
 from openerp import SUPERUSER_ID
+from openerp.osv.orm import except_orm
+from openerp.tools.translate import _
 
 _logger = logging.getLogger(__name__)
 
@@ -190,12 +192,14 @@ class ir_attachment(osv.osv):
         more complex ones apply there.
         """
         res_ids = {}
+        require_employee = False
         if ids:
             if isinstance(ids, (int, long)):
                 ids = [ids]
             cr.execute('SELECT DISTINCT res_model, res_id FROM ir_attachment WHERE id = ANY (%s)', (ids,))
             for rmod, rid in cr.fetchall():
                 if not (rmod and rid):
+                    require_employee = True
                     continue
                 res_ids.setdefault(rmod,set()).add(rid)
         if values:
@@ -207,10 +211,16 @@ class ir_attachment(osv.osv):
             # ignore attachments that are not attached to a resource anymore when checking access rights
             # (resource was deleted but attachment was not)
             if not self.pool.get(model):
+                require_employee = True
                 continue
-            mids = self.pool[model].exists(cr, uid, mids)
+            existing_ids = self.pool[model].exists(cr, uid, mids)
+            if len(existing_ids) != len(mids):
+                require_employee = True
             ima.check(cr, uid, model, mode)
-            self.pool[model].check_access_rule(cr, uid, mids, mode, context=context)
+            self.pool[model].check_access_rule(cr, uid, existing_ids, mode, context=context)
+        if require_employee:
+            if not self.pool['res.users'].has_group(cr, uid, 'base.group_user'):
+                raise except_orm(_('Access Denied'), _("Sorry, you are not allowed to access this document."))
 
     def _search(self, cr, uid, args, offset=0, limit=None, order=None, context=None, count=False, access_rights_uid=None):
         ids = super(ir_attachment, self)._search(cr, uid, args, offset=offset,