After upgrading Service Desk from 14.1.03 to 17.1, end users started experiecing an issue when downloading attachments prior saving an incident, problem, issue, change order or configuration item.
The error message bellow appears in stdlog:
rep_daemon 6148 ERROR DomWrap.c 894 Access to BOP Name: 'Attachment id:643507' denied for user: 'end.user' Class:'CDownloadFile'
Service Desk 17.1
Service Desk 17.0
Service Desk 14.1 (since CF4)
Starting with 14.1.04 the access to the parent object of the attachment when a download is attempted is being enforced. Since the ticket is not saved there is no valid pared so the user is blocked from downloading the attachment. This change was added in CF4, where the somebody was able to get a valid bopsid and send requests to SDM and download attachments attached to documents that the user didn't have access to. The solution for the mentioned security issue was to ensure that the user has access to the ticket that the attachment belongs to before allowing the attachment to be server.
Save the ticket and download the attachment.