h4. Summary

The questions plugin allows administrators to restrict its usage to groups/users, similar to Confluence Permissions. Attachments uploaded to these questions/answers can be found by users that do not have Questions Permission. However, while the attachment can be searched and its title is displayed, clicking on the attachment will display a Not Permitted page:
!Not Permitted.png|thumbnail!

h4. Steps to Reproduce

Install Confluence Questions

As a Confluence admin, navigate to Questions for Confluence >> Permissions

Remove the group/user permission from a Test User. This Test User shouldn’t be able to see anything related to the Questions plugin.

As the admin user, create a question and add an attachment Test.png

Publish the question.

As the Test user that doesn’t have permission to use the Questions plugin, try to search for Test.png

h4. Expected Results
Nothing is found

h4. Actual Results
The attachment is found and clicking on it the user is greeted with the Not Permitted screen, however, the attachment name is displayed to this user which may contain sensitive information.

h4. Workaround
If the question is tied to a space, this space can be restricted and the attachment won’t be found.

If the question isn’t tied to a space or the space can’t/won’t be restricted, there is no workaround. If one is identified, it’ll be shared here.