Attachment Security by LucidBrainz is a comprehensive attachment management solution for Odoo 18 that provides granular control over who can view and delete attachments throughout your system. This module implements intelligent visibility controls where users can see only their own attachments by default, with additional access granted for attachments linked to records they have read permissions for. The solution features flexible delete permissions with three-tier control: superusers can delete any attachment, specially authorized users with "Can Delete Any Attachment" permission can manage all attachments, and regular users can only delete attachments they created. Built with zero database modifications using pure XML view inheritance and Python model extensions, the module ensures complete data safety without any risk of corruption. Features smart access control with readonly inherited addresses for child contacts, universal compatibility across all Odoo modules including Sales, CRM, Invoicing, Purchase, HR, and Projects, and professional error messages guiding users when access is denied. The lightweight architecture adds a single boolean field to res.users model for delete permissions, implements computed visibility field on ir.attachment without storage overhead, and overrides unlink method with permission checks. Perfect for multi-user environments requiring data privacy, companies with confidential document management needs, organizations following security compliance standards, and businesses wanting to prevent accidental or unauthorized attachment deletions. System administrators can easily grant delete permissions through the user settings interface with a simple toggle switch visible only to admin users. The module activates immediately after installation with no configuration required, preserves all existing attachment data and access patterns, and provides clear access error messages to users. Ready to secure your attachments with enterprise-grade permission controls!

• Intelligent Visibility Control: Implements smart attachment visibility where users see only their own uploaded attachments by default. Automatically grants access to attachments linked to records (sales orders, invoices, etc.) where user has read permissions. Superusers maintain full visibility across all attachments for administrative oversight
• Three-Tier Delete Permission System: Granular delete control with superuser level (delete anything), authorized user level (Can Delete Any Attachment permission), and creator level (delete own attachments only). Prevents unauthorized deletion while providing flexibility for document managers and administrators
• Can Delete Any Attachment Permission: New user-level permission toggle available in Settings → Users & Companies → Users → Access Rights tab. Visible and modifiable only by system administrators (base.group_system). Enables selective granting of delete permissions to trusted users without making them superusers
• Creator-Only Default Access: Regular users restricted to managing only attachments they personally uploaded. Automatic creator tracking using create_uid field ensures accurate ownership determination. Protects confidential documents and prevents accidental data loss from unauthorized deletions
• Linked Record Permission Inheritance: Smart context-aware access where attachment visibility extends based on linked record (res_model + res_id) permissions. Users with read access to a sale order automatically see order attachments. Seamless integration with existing Odoo record-level security rules
• Professional Access Error Messages: Clear, user-friendly error dialogs when delete attempts fail. Message reads "You are not allowed to delete this attachment. Only the creator or users with special permissions can delete attachments." Guides users without technical jargon
• Zero Database Risk Architecture: No modification to ir.attachment table structure, no custom database tables created, no data migration scripts required. Visibility computed on-the-fly without storage overhead. Can be uninstalled cleanly without any data loss or orphaned records
• Lightweight Python Implementation: Minimal code footprint with just two model extensions (ir.attachment and res.users). No controllers, no JavaScript, no complex dependencies. Single computed boolean field (visible) with @api.depends decorators ensuring efficient recalculation only when needed
• Universal Module Compatibility: Works seamlessly across all Odoo applications - Sales quotations and orders, Customer and supplier invoices, Purchase RFQs and orders, CRM leads and opportunities, HR employee documents, Project attachments, Email attachments in chatter, and any custom module using res.partner or attachments
• Multi-User Environment Optimized: Perfect for organizations with multiple users sharing database. Prevents users from seeing each other's private attachments. Maintains data privacy without complex folder structures or sharing rules. Ideal for companies with confidential document requirements
• Superuser Administrative Override: System administrators maintain full visibility and delete access regardless of creator. Uses Odoo's built-in _is_superuser() check for reliable admin detection. Ensures system maintenance and data cleanup capabilities are never restricted
• Computed Visibility Field: Real-time calculation of attachment visibility based on current user context. Uses @api.depends on create_uid, res_model, and res_id for intelligent dependency tracking. Store=False ensures no database write overhead while maintaining accurate access control
• Access Rights Integration: Leverages Odoo's native access control system (check_access_rights and check_access_rule) for linked record permission checking. No reinvention of security wheel - extends and integrates with existing ir.model.access and record rules
• Smart Search Filtering: Overridden search_read method automatically filters attachment lists showing only accessible items. Users see clean attachment lists without permission-denied errors. Public attachments remain visible to all users for shared resources
• Chatter Attachment Integration: Works perfectly with Odoo's message/chatter system where documents are attached to form views. Maintains chatter functionality while adding security layer. Email attachments follow same permission rules as manual uploads
• Readonly Field Management: Groups attribute (groups='base.group_system') ensures Can Delete Any Attachment toggle visible only to administrators. Prevents regular users from modifying their own permissions. Maintains security hierarchy and prevents privilege escalation
• Easy Configuration Interface: Simple toggle switch in user settings - no complex permission matrices or XML editing required. Changes take effect immediately without server restart. Administrators can quickly grant or revoke delete permissions as roles change
• Instant Activation: Zero configuration required after installation. Module activates automatically applying security rules to all existing attachments. No data initialization scripts, no setup wizards, no manual CSV imports. Works out-of-the-box immediately after clicking Install button