diff --git a/odoo/addons/base/models/ir_attachment.py b/odoo/addons/base/models/ir_attachment.py
index f1d8701a1..0f7926756 100644
--- a/odoo/addons/base/models/ir_attachment.py
+++ b/odoo/addons/base/models/ir_attachment.py
@@ -416,9 +416,13 @@ class IrAttachment(models.Model):
         """ Restricts the access to an ir.attachment, according to referred mode """
         if self.env.is_superuser():
             return True
-        # Always require an internal user (aka, employee) to access to a attachment
+        # Either internal users or Portal users (for some models) have access to attachments
         if not (self.env.is_admin() or self.env.user.has_group('base.group_user')):
-            raise AccessError(_("Sorry, you are not allowed to access this document."))
+            res_models = ['account.move', 'stock.picking',
+                          'stock.certificate', 'stock.delivery']
+            if not self.res_model or not self.res_id or self.res_model not in res_models:
+                raise AccessError(_("Sorry, you are not allowed to access this document."))
+            self.env[self.res_model].browse(self.res_id).check_access_rule('read')
         # collect the records to check (by model)
         model_ids = defaultdict(set)            # {model_name: set(ids)}
         if self: