Attachments are deletable by view-only users

Hi, There is a bug in attachments. When we attach a file to an entry, say “Purchase Invoice”, the user with View only access is still able to delete and upload attachments. Please fix.

Also, can “Edit” button be removed or disabled for View-only users?

I can confirm this - have just tested on a copy of Server Edition that I have running.

@Tut or @Brucanna would this one be worthy of tagging as a bug?

There may be technical limitations for why it was implemented the way it was. Only lubos would know for sure.

Currently, users with view-only access can open the Edit form but cannot Update / Delete (those buttons are disabled), so there’s no security / permission breach here - unlike the attachment issue you mentioned.

I couldn’t duplicate the error since I don’t run the server edition. Since @ShaneAU confirms it, I will elevate it.

Fixed in the latest version (17.9.38)

Thanks for the quick fix, lubos. Will update later and have a look.