From 7e68d0465607090d6496581d75f702ce5e04aa31 Mon Sep 17 00:00:00 2001
From: Graeme Gellatly <graemeg@roof.co.nz>
Date: Mon, 9 Mar 2026 03:10:22 +0000
Subject: [PATCH] [FIX] impersonate_login: keep attachment ownership for access
 checks

Avoid rewriting create_uid/write_uid on ir.attachment during impersonation.
Temporary report/email attachments may be created without res_model/res_id and
core access checks rely on creator ownership for read access in that case.
---
 impersonate_login/models/model.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/impersonate_login/models/model.py b/impersonate_login/models/model.py
index 62803ea9d2..b17f90c4cc 100644
--- a/impersonate_login/models/model.py
+++ b/impersonate_login/models/model.py
@@ -11,6 +11,13 @@ class BaseModel(models.AbstractModel):
 
     def _prepare_create_values(self, vals_list):
         result_vals_list = super()._prepare_create_values(vals_list)
+        # Keep core attachment access semantics intact.
+        # For temporary/generated attachments (often without res_model/res_id),
+        # read access falls back to creator ownership. Rewriting create_uid to
+        # the original impersonator can make the active impersonated user lose
+        # access immediately in the same flow (e.g. compose email after report).
+        if self._name == "ir.attachment":
+            return result_vals_list
         if (
             request
             and request.session.get("impersonate_from_uid")
@@ -23,6 +30,8 @@ def _prepare_create_values(self, vals_list):
     def write(self, vals):
         """Overwrite the write_uid with the impersonating user"""
         res = super().write(vals)
+        if self._name == "ir.attachment":
+            return res
         if (
             request
             and request.session.get("impersonate_from_uid")