Odoo Help


how to limit access rights to ir.attachement model?

Piotr Piotrowski
on 6/10/15, 6:30 AM 1,482 views

Hi everyone,

I have some small problem with ir.attachement model. This model is used to store pictures that are used on website and that is ok. It is easy to upload pictures, more difficult to change information about pictures, but it is TOO EASY to DELETE picture (ir.attachement model) when picking other picture on other page.

What I mean by that is, that in image-pick-widget You need to only click "X" and a picture is gone... Of course You need to have proper rights (delete) but those rights come with simple HR-Employee and maybe with some other, I do not know.

So my question is - how can I secure my websites, so that:

- before deleting the picture, someone will get javascript question, like: Are You sure You wanna do it?

- delete rights will be only for Admin or for some special Role?

The biggest problem is that it is really easy to delete those attachment and after that all websites that used this picture will be shown improperly. For me this is really big issue for my users. And I know I can take back those rights in backend/setting but:

1. I will never be sure which other module will give them back

2. For Admin the problem remains.

Thanks in advance for some ideas,


Again because of KARMA I cannot use this formu properly... I hope Andre de Kock that You will be notified about my comment. I agree that Your solution works. I did the same, actually I took back DELETE RIGHT from ir_attachment group_user but this is more like a workaround solution. Why? Because administrator shall have those rights - I can create new role/ access rule just for him, it is not a problem - BUT for him it still will be same easy to destroy some website just by accident. When You delete picture website looks very bad. So maybe the question shall be: where can I write my suggestion on module upgrade / feature request or whatever, something like small javascript with question: Do You really want to delete this picture? Sorry, but actually I do not know where is the place for such a request. Best Regards, Piotr

Piotr Piotrowski
on 6/11/15, 5:52 AM
Andre de Kock
On 6/10/15, 11:35 AM

Go to Settings -> Technical -> Database Structure ->Models. Then you can search for "ir.attachment" and view it. In the Access Rights tab you will see that the group Human Resources has Delete Access ticked. Edit the record and remove the checkbox tick in the Delete Access column.

By default all users belong to the Human Resources group. By unchecking the Delete Access checkbox, nobody will be able to delete an ir.attachment object (except the super admin).

About This Community

This platform is for beginners and experts willing to share their Odoo knowledge. It's not a forum to discuss ideas, but a knowledge base of questions and their answers.


Odoo Training Center

Access to our E-learning platform and experience all Odoo Apps through learning videos, exercises and Quizz.

Test it now

Question tools

1 follower(s)


Asked: 6/10/15, 6:30 AM
Seen: 1482 times
Last updated: 6/14/15, 8:46 AM