Implement object based Attachment access permissions

[adam-buckley]

At the moment, we have two roles in which access to the filesystem (via Attachments) is granted: file_upload and file_download.

This is now inadequate in a scenario that we're facing in which a certain objects attachments are storing super sensitive information. We want users to still be able to view the object's data, but not the attachments.

My proposal is that we move file access permissions into the DbObject, as the object is then responsible for fine tuning access to its attachments. In the same format as the DbObject::can[List|View|Edit|Delete], the functions would be called canDownload and canUpload.

If you do not implement these functions, then they fallback to the normal file_upload and file_download roles.

With this, you could then, for example, restrict upload access to Task attachments to anyone with the task_admin role, but still allow any user with access to a task to download said attachments, you would implement the canUpload function on the Task object as:

class Task extends DbObject {
    ...
    public function canUpload(\User $user) {
        return $user->hasRole('task_admin');
    }
}

A nice side effect to this is that you could essentially implement attachment lifetimes to non-admin users, i.e. attachments are only visible for a certain period of time.

On this, we could also implement this for comments...

[careck]

This is a fantastic idea! Approved, please implement ... as long there is the fallback to the old way then this should not break any legacy code.