I would not forget the ACLs since setting up ACLs to prevent "download"
for users you don't want to be able to download the files will prevent the
download of those file attachments. I am pretty sure that you can still
"see" the file names as attachments if you do this, but unauthorized users
cannot actually download them. If the requirement is the hide even the
existence of those files, then I would recommend not using File
Attachments, but rather use WTDocuments over which you can control "read
access" to the metadata as well as the file content, and then attach the
WTDocument to the PR or related WTDocument as linked objects (Affected
Objects for PRs, and either References or Structure links for Documents).
Alternatively, you might get creative using Query Builder or a custom JSP
report that bypasses access control to display metadata and links. You
would do this by not giving users who cannot "see" the file attachments
read accesss to the PR or Documents, but allowing them to "see" metadata
in reports that by pass access control, but do not display the file
attachment data in the report output. With this approach, you can control
exactly what metadata is displayed since the only way unauthorized users
can see it is via a report tailored to their access limits on an attribute
by attribute basis.
If you have to hide the existence of the file name, and if you also reject
the use of a separate, linked WTDocument as well as a report-based
approach, then you will have to do some customization to the user
interface - something we avoid since doing so complicates future upgrades
and migrations since you end up messing with out of the box functionality.
Al
[solutions] - Hide Attachments (Application Data) for a Docment / Problem
Report
Sriram Rammohan
