Hi All,

I have a question in relation to the security of the default attachment functionality within Odoo.

Attachments within Odoo are all referenced by a URL with an ID as shown below:

https://{odoo domain}/web/content/1701?download=true

Issue:

Any logged in user can simply take this URL and increment/decrement the ID to obtain all documents stored within Odoo! This means that if a user updates a resume on the recruitment module, it can potentially be read by anybody. If new costing information is uploaded against a product in, it can be downloaded by anybody. This poses a serious privacy issue and I am sure that I am not the only person that has this issue.

Does anybody have any suggestions how we can lock down attachments to the model and record for which the attachment was attached against?

E.g. is an employment contract is attached to the recruitment record of Bill Smith, the attachment should only be opened from that record (and therefore inheriting the permissions of that record)???

Note: I am using Odoo V11

Any advice on getting around this security issue would be greatly appreciated.