Only admin role can remove attachments

scott_newton · ‎10-06-2009

Anyone can add an attachmnet but only admin role can remove them. The remove button shows up for all but when they check the attachment and then click remove, the button goes from black to gray and nothing happens.

We never tested this functionality so I have no idea at what point this broke (if it ever worked).

This happens in all three instances (Prod was cloned to Dev but not Test). I don't have the slightest idea where to begin looking into this and any assistance/suggestions will be appreciated.

CapaJC · ‎10-06-2009

With the Fall release, deleting attachments checks delete permissions for the parent record. If the user cannot delete the record, they cannot remove attachments from it.

This logic has been modified in a patch to only require WRITE access to the record, which seems more appropriate. The patch is available now.

In Fall 2009 Stable 1 in about a month, removal of attachments willi check DELETE access to the attachment, based on sys_attachment ACLs, which by default will simply check write access to the record, but can be customized as desired or removed entirely for those that wish no security on attachments.

martincohn · ‎08-26-2010

We actually wanted this behavior. Modifed Access Control sys_attachment delete and added requires role admin.

Still needed to let the KB admins delete KB article attachments so added another access control sys_attachment delete with condition of Table name is kb_knowledge and requires role knowledge_admin

If there is a dupe name both show up. Added Related List attachments to pretty much every form that allows attachments that we use, and modifired the list to show created by and created. That allows users to easily ID which attachment is the newest. Also can be seen if you hover on the attachment link at top of form.

Now everyone (including audit) is happy...