Skip to Content
Menu
This question has been flagged

Hi everyone,


I have some small problem with ir.attachement model. This model is used to store pictures that are used on website and that is ok. It is easy to upload pictures, more difficult to change information about pictures, but it is TOO EASY to DELETE picture (ir.attachement model) when picking other picture on other page.

What I mean by that is, that in image-pick-widget You need to only click "X" and a picture is gone... Of course You need to have proper rights (delete) but those rights come with simple HR-Employee and maybe with some other, I do not know.

So my question is - how can I secure my websites, so that:

- before deleting the picture, someone will get javascript question, like: Are You sure You wanna do it?

- delete rights will be only for Admin or for some special Role?

The biggest problem is that it is really easy to delete those attachment and after that all websites that used this picture will be shown improperly. For me this is really big issue for my users. And I know I can take back those rights in backend/setting but:

1. I will never be sure which other module will give them back

2. For Admin the problem remains.


Thanks in advance for some ideas,

Piotr    

Avatar
Discard
Author

Again because of KARMA I cannot use this formu properly... I hope Andre de Kock that You will be notified about my comment. I agree that Your solution works. I did the same, actually I took back DELETE RIGHT from ir_attachment group_user but this is more like a workaround solution. Why? Because administrator shall have those rights - I can create new role/ access rule just for him, it is not a problem - BUT for him it still will be same easy to destroy some website just by accident. When You delete picture website looks very bad. So maybe the question shall be: where can I write my suggestion on module upgrade / feature request or whatever, something like small javascript with question: Do You really want to delete this picture? Sorry, but actually I do not know where is the place for such a request. Best Regards, Piotr

Best Answer

Go to Settings -> Technical -> Database Structure ->Models. Then you can search for "ir.attachment" and view it. In the Access Rights tab you will see that the group Human Resources has Delete Access ticked. Edit the record and remove the checkbox tick in the Delete Access column.

By default all users belong to the Human Resources group. By unchecking the Delete Access checkbox, nobody will be able to delete an ir.attachment object (except the super admin).

Avatar
Discard
Related Posts Replies Views Activity
2
Jan 23
4484
2
Jan 23
12400
0
Jun 22
2188
1
Jul 15
6320
1
Dec 24
153