Attachments are deletable by view-only users

Hi, There is a bug in attachments. When we attach a file to an entry, say “Purchase Invoice”, the user with View only access is still able to delete and upload attachments. Please fix.

Also, can “Edit” button be removed or disabled for View-only users?

I can confirm this - have just tested on a copy of Server Edition that I have running.

@Tut or @Brucanna would this one be worthy of tagging as a bug?

There may be technical limitations for why it was implemented the way it was. Only lubos would know for sure.

Currently, users with view-only access can open the Edit form but cannot Update / Delete (those buttons are disabled), so there’s no security / permission breach here - unlike the attachment issue you mentioned.

I couldn’t duplicate the error since I don’t run the server edition. Since @ShaneAU confirms it, I will elevate it.

Fixed in the latest version (17.9.38)

Thanks for the quick fix, lubos. Will update later and have a look.

This issue is now back again, users who dont have delete button enabled are now able to delete attachments. Please can you check. I’m using cloud version. Also it was previously not possible

Cloud Edition Version 20.9.88 doesn’t have this problem.

Still the problem is as it was :frowning:

@fahadalarab, since a moderator (@Abeiku) cannot duplicate this, have you restarted your cloud server since version 20.9.88? Go to https://cloud.manager.io and click Restart Cloud Server button.