Summary
In a scoped application Workspace, users are able to delete attachments even when they do not have write access to the record. There also appears to be no way to implement conditional delete control for attachments within the scoped application.
Environment
Platform: ServiceNow
Application Type: Scoped Application
UI: Workspace
Component: Default Workspace Attachment component
Issue Description
Users are able to delete attachments from records in Workspace even though they do not have write access to the record according to ACL rules.
In this scoped application, write access to the record is restricted through ACLs. However, the default Workspace attachment component still allows attachment deletion.
Additionally, within a scoped application, there does not appear to be a way to implement a conditional delete ACL on the sys_attachment table to control attachment deletion based on record conditions or roles.
Steps to Reproduce
Create or use a table in a scoped application.
Configure ACLs so that a user does not have
writeaccess to the record.Access the record in Workspace.
Upload an attachment (or use an existing attachment).
Select any uploaded attachment.
- Attempt to delete the attachment (as shown in image above).
Result:
The user is able to delete the attachment despite lacking write access.
Expected Behavior
Attachment deletion should respect ACL restrictions.
Users who do not have write access to the record should not be able to delete attachments, or there should be a supported mechanism to control attachment deletion through ACLs or configuration.
Actual Behavior
Users can delete attachments from Workspace even when they do not have write access to the record, and there is no clear mechanism within the scoped application to enforce conditional delete restrictions.
