I have some small problem with ir.attachement model. This model is used to store pictures that are used on website and that is ok. It is easy to upload pictures, more difficult to change information about pictures, but it is TOO EASY to DELETE picture (ir.attachement model) when picking other picture on other page.
What I mean by that is, that in image-pick-widget You need to only click "X" and a picture is gone... Of course You need to have proper rights (delete) but those rights come with simple HR-Employee and maybe with some other, I do not know.
So my question is - how can I secure my websites, so that:
- delete rights will be only for Admin or for some special Role?
The biggest problem is that it is really easy to delete those attachment and after that all websites that used this picture will be shown improperly. For me this is really big issue for my users. And I know I can take back those rights in backend/setting but:
1. I will never be sure which other module will give them back
2. For Admin the problem remains.
Thanks in advance for some ideas,
Go to Settings -> Technical -> Database Structure ->Models. Then you can search for "ir.attachment" and view it. In the Access Rights tab you will see that the group Human Resources has Delete Access ticked. Edit the record and remove the checkbox tick in the Delete Access column.
By default all users belong to the Human Resources group. By unchecking the Delete Access checkbox, nobody will be able to delete an ir.attachment object (except the super admin).
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 6/10/15, 6:30 AM|
|Seen: 778 times|
|Last updated: 6/14/15, 8:46 AM|