diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index 69a947b03..6fec51944 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -126,7 +126,7 @@ class IssuesController < ApplicationController
       raise ::Unauthorized
     end
     call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
-    @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
+    @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) if User.current.allowed_to?(:edit_attachments, @issue.project)
     if @issue.save
       call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
       respond_to do |format|
@@ -523,6 +523,7 @@ class IssuesController < ApplicationController
     @issue.safe_attributes = attrs
 
     if @issue.project
+      @issue.attachments = [] unless User.current.allowed_to?(:edit_attachments, @issue.project)
       @issue.tracker ||= @issue.allowed_target_trackers.first
       if @issue.tracker.nil?
         if @issue.project.trackers.any?
diff --git a/app/models/issue.rb b/app/models/issue.rb
index b20da8d91..4f8bd521f 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -38,7 +38,8 @@ class Issue < ActiveRecord::Base
   has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all
   has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all
 
-  acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed
+  acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed,
+                     :view_permission => :view_attachments, :edit_permission => :edit_attachments, :delete_permission => :delete_attachments
   acts_as_customizable
   acts_as_watchable
   acts_as_searchable :columns => ['subject', "#{table_name}.description"],
@@ -273,7 +274,7 @@ class Issue < ActiveRecord::Base
       self.status = issue.status
     end
     self.author = User.current
-    unless options[:attachments] == false
+    if options[:attachments] == true && User.current.allowed_to?(:view_attachments, issue.project)
       self.attachments = issue.attachments.map do |attachement|
         attachement.copy(:container => self)
       end
diff --git a/app/models/journal.rb b/app/models/journal.rb
index ce3f9d0b3..e19e667dc 100644
--- a/app/models/journal.rb
+++ b/app/models/journal.rb
@@ -88,6 +88,8 @@ class Journal < ActiveRecord::Base
         detail.custom_field && detail.custom_field.visible_by?(project, user)
       elsif detail.property == 'relation'
         Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user)
+      elsif detail.property == 'attachment'
+        user.allowed_to?(:view_attachments, project)
       else
         true
       end
diff --git a/app/models/mailer.rb b/app/models/mailer.rb
index 58fe1d5f7..71cd0d93d 100644
--- a/app/models/mailer.rb
+++ b/app/models/mailer.rb
@@ -93,7 +93,7 @@ class Mailer < ActionMailer::Base
   end
 
   # Builds a mail for notifying user about an issue update
-  def issue_edit(user, journal)
+  def issue_edit(user, journal, att=false)
     issue = journal.journalized
     redmine_headers 'Project' => issue.project.identifier,
                     'Issue-Id' => issue.id,
@@ -110,6 +110,7 @@ class Mailer < ActionMailer::Base
     @journal = journal
     @journal_details = journal.visible_details
     @issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}")
+    @att = att
 
     mail :to => user,
       :subject => s
@@ -120,12 +121,13 @@ class Mailer < ActionMailer::Base
   # Example:
   #   Mailer.deliver_issue_edit(journal)
   def self.deliver_issue_edit(journal)
+    issue = journal.journalized.reload
     users  = journal.notified_users | journal.notified_watchers
     users.select! do |user|
       journal.notes? || journal.visible_details(user).any?
     end
     users.each do |user|
-      issue_edit(user, journal).deliver_later
+      issue_edit(user, journal, user.allowed_to?(:view_attachments, issue.project)).deliver_later
     end
   end
 
diff --git a/app/views/issues/_edit.html.erb b/app/views/issues/_edit.html.erb
index 3afaee4ca..218e7d173 100644
--- a/app/views/issues/_edit.html.erb
+++ b/app/views/issues/_edit.html.erb
@@ -39,6 +39,7 @@
       <%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
       </fieldset>
 
+      <% if User.current.allowed_to?(:edit_attachments, @project) %>
       <fieldset><legend><%= l(:label_attachment_plural) %></legend>
         <% if @issue.attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
         <div class="contextual"><%= link_to l(:label_edit_attachments), '#', :onclick => "$('#existing-attachments').toggle(); return false;" %></div>
@@ -62,6 +63,7 @@
           <%= render :partial => 'attachments/form', :locals => {:container => @issue} %>
         </div>
       </fieldset>
+      <% end %>
     <% end %>
     </div>
 
diff --git a/app/views/issues/new.html.erb b/app/views/issues/new.html.erb
index 22a174a11..9bb5bee04 100644
--- a/app/views/issues/new.html.erb
+++ b/app/views/issues/new.html.erb
@@ -17,7 +17,7 @@
       <%= check_box_tag 'link_copy', '1', @link_copy %>
     </p>
     <% end %>
-    <% if @copy_from && @copy_from.attachments.any? %>
+    <% if @copy_from && @copy_from.attachments.any? && User.current.allowed_to?(:view_attachments, @copy_from.project) %>
     <p>
       <label for="copy_attachments"><%= l(:label_copy_attachments) %></label>
       <%= check_box_tag 'copy_attachments', '1', @copy_attachments %>
@@ -30,7 +30,9 @@
     </p>
     <% end %>
 
+    <% if User.current.allowed_to?(:edit_attachments, @project) %>
     <p id="attachments_form"><label><%= l(:label_attachment_plural) %></label><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
+    <% end %>
 
     <div id="watchers_form_container">
       <%= render :partial => 'issues/watchers_form' %>
diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb
index f474ed9c6..1fecc10d1 100644
--- a/app/views/issues/show.api.rsb
+++ b/app/views/issues/show.api.rsb
@@ -35,7 +35,7 @@ api.issue do
     @issue.attachments.each do |attachment|
       render_api_attachment(attachment, api)
     end
-  end if include_in_api_response?('attachments')
+  end if include_in_api_response?('attachments') && User.current.allowed_to?(:view_attachments, @project)
 
   api.array :relations do
     @relations.each do |relation|
diff --git a/app/views/issues/show.html.erb b/app/views/issues/show.html.erb
index a11a24df6..c6885641d 100644
--- a/app/views/issues/show.html.erb
+++ b/app/views/issues/show.html.erb
@@ -88,10 +88,10 @@ end %>
   </div>
 </div>
 <% end %>
-<% if @issue.attachments.any? %>
+<% if @issue.attachments.any? && (User.current.allowed_to?(:view_attachments, @project)) %>
   <hr />
   <p><strong><%=l(:label_attachment_plural)%></strong></p>
-  <%= link_to_attachments @issue, :thumbnails => true %>
+  <%= link_to_attachments @issue, :thumbnails => true if User.current.allowed_to?(:view_attachments, @project) %>
 <% end %>
 
 <%= render_full_width_custom_fields_rows(@issue) %>
diff --git a/app/views/mailer/_issue.html.erb b/app/views/mailer/_issue.html.erb
index 58287c658..7a5dd515a 100644
--- a/app/views/mailer/_issue.html.erb
+++ b/app/views/mailer/_issue.html.erb
@@ -4,7 +4,7 @@
 
 <%= textilizable(issue, :description, :only_path => false) %>
 
-<% if issue.attachments.any? %>
+<% if issue.attachments.any? && @att %>
   <fieldset class="attachments"><legend><%= l(:label_attachment_plural) %></legend>
   <% issue.attachments.each do |attachment| %>
     <%= link_to_attachment attachment, :download => true, :only_path => false %>
diff --git a/app/views/mailer/_issue.text.erb b/app/views/mailer/_issue.text.erb
index 819aebad6..6899e0589 100644
--- a/app/views/mailer/_issue.text.erb
+++ b/app/views/mailer/_issue.text.erb
@@ -5,7 +5,7 @@
 ----------------------------------------
 <%= issue.description %>
 
-<% if issue.attachments.any? -%>
+<% if issue.attachments.any? && @att -%>
 ---<%= l(:label_attachment_plural).ljust(37, '-') %>
 <% issue.attachments.each do |attachment| -%>
 <%= attachment.filename %> (<%= number_to_human_size(attachment.filesize) %>)
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 36d2099c8..8034aae65 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -492,6 +492,9 @@ en:
   permission_view_private_notes: View private notes
   permission_set_notes_private: Set notes as private
   permission_delete_issues: Delete issues
+  permission_view_attachments: View attachments
+  permission_edit_attachments: Edit attachments
+  permission_delete_attachments: Delete attachments
   permission_manage_public_queries: Manage public queries
   permission_save_queries: Save queries
   permission_view_gantt: View gantt chart
diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml
index 1dcf52b7a..42564646c 100644
--- a/config/locales/pt-BR.yml
+++ b/config/locales/pt-BR.yml
@@ -782,6 +782,9 @@ pt-BR:
   permission_manage_members: Gerenciar membros
   permission_edit_messages: Editar mensagens
   permission_delete_issues: Excluir tarefas
+  permission_view_attachments: Ver arquivos anexos
+  permission_edit_attachments: Editar arquivos anexos
+  permission_delete_attachments: Apagar arquivos anexos
   permission_view_issue_watchers: Ver lista de observadores
   permission_manage_repository: Gerenciar repositório
   permission_commit_access: Acesso do commit
diff --git a/db/migrate/20161215142110_add_attachments_permissions.rb b/db/migrate/20161215142110_add_attachments_permissions.rb
new file mode 100644
index 000000000..938da0311
--- /dev/null
+++ b/db/migrate/20161215142110_add_attachments_permissions.rb
@@ -0,0 +1,17 @@
+class AddAttachmentsPermissions < ActiveRecord::Migration[5.0]
+  def self.up
+    Role.all.each do |r|
+      r.add_permission!(:view_attachments) if r.has_permission?(:view_issues)
+      r.add_permission!(:edit_attachments) if r.has_permission?(:edit_issues)
+      r.add_permission!(:delete_attachments) if r.has_permission?(:edit_issues)
+    end
+  end
+
+  def self.down
+    Role.all.each do |r|
+      r.remove_permission!(:view_attachments)
+      r.remove_permission!(:edit_attachments)
+      r.remove_permission!(:delete_attachments)
+    end
+  end
+end
diff --git a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
index e6b6b22fc..0770e824a 100644
--- a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
+++ b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
@@ -134,6 +134,7 @@ module Redmine
               r |= fetch_ranks_and_ids(
                 search_scope(user, projects, options).
                 joins(:attachments).
+                where("#{Project.allowed_to_condition(user, :view_attachments)}", false).
                 where(search_tokens_condition(["#{Attachment.table_name}.filename", "#{Attachment.table_name}.description"], tokens, options[:all_words])),
                 options[:limit]
               )
diff --git a/lib/redmine.rb b/lib/redmine.rb
index 73bff0ecf..d67e34fcc 100644
--- a/lib/redmine.rb
+++ b/lib/redmine.rb
@@ -99,19 +99,23 @@ Redmine::AccessControl.map do |map|
                                   :queries => :index,
                                   :reports => [:issue_report, :issue_report_details]},
                                   :read => true
-    map.permission :add_issues, {:issues => [:new, :create], :attachments => :upload}
-    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload}
-    map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update], :attachments => :upload}
+    map.permission :add_issues, {:issues => [:new, :create]}
+    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]}
+    map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update]}
     map.permission :manage_issue_relations, {:issue_relations => [:index, :show, :create, :destroy]}
     map.permission :manage_subtasks, {}
     map.permission :set_issues_private, {}
     map.permission :set_own_issues_private, {}, :require => :loggedin
-    map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new], :attachments => :upload}
+    map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new]}
     map.permission :edit_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
     map.permission :edit_own_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
     map.permission :view_private_notes, {}, :read => true, :require => :member
     map.permission :set_notes_private, {}, :require => :member
     map.permission :delete_issues, {:issues => :destroy}, :require => :member
+    # Attachments
+    map.permission :view_attachments, {}, :require => :member
+    map.permission :edit_attachments, {:attachments => :upload}, :require => :member
+    map.permission :delete_attachments, {:attachments => :destroy}, :require => :member
     # Watchers
     map.permission :view_issue_watchers, {}, :read => true
     map.permission :add_issue_watchers, {:watchers => [:new, :create, :append, :autocomplete_for_user]}
diff --git a/lib/redmine/export/pdf/issues_pdf_helper.rb b/lib/redmine/export/pdf/issues_pdf_helper.rb
index 7e2c8a85f..d7230b83c 100644
--- a/lib/redmine/export/pdf/issues_pdf_helper.rb
+++ b/lib/redmine/export/pdf/issues_pdf_helper.rb
@@ -235,7 +235,7 @@ module Redmine
             end
           end
   
-          if issue.attachments.any?
+          if issue.attachments.any? && User.current.allowed_to?(:view_attachments, @project)
             pdf.SetFontStyle('B',9)
             pdf.RDMCell(190,5, l(:label_attachment_plural), "B")
             pdf.ln