diff --git a/odoo/addons/base/models/ir_attachment.py b/odoo/addons/base/models/ir_attachment.py
index f1d8701a1..0f7926756 100644
--- a/odoo/addons/base/models/ir_attachment.py
+++ b/odoo/addons/base/models/ir_attachment.py
@@ -418,7 +418,10 @@ class IrAttachment(models.Model):
             return True
         # Always require an internal user (aka, employee) to access to a attachment
         if not (self.env.is_admin() or self.env.user.has_group('base.group_user')):
-            raise AccessError(_("Sorry, you are not allowed to access this document."))
+            res_models = ['account.move', 'stock.picking',
+                          'stock.certificate', 'stock.delivery']
+            if not self.res_model or not self.res_id or self.res_model not in res_models:
+                raise AccessError(_("Sorry, you are not allowed to access this document."))
+            self.env[self.res_model].browse(self.res_id).check_access_rule('read')
         # collect the records to check (by model)
         model_ids = defaultdict(set)            # {model_name: set(ids)}
         if self: