diff --git a/app/controllers/todos_controller.rb b/app/controllers/todos_controller.rb
index cb63e2b9..c7e1c285 100644
--- a/app/controllers/todos_controller.rb
+++ b/app/controllers/todos_controller.rb
@@ -817,7 +817,7 @@ class TodosController < ApplicationController
   def attachment
     id = params[:id]
     filename = params[:filename]
-    attachment = Attachment.where(id: id).first
+    attachment = current_user.attachments.find(id)
 
     if attachment
       send_file(attachment.file.path,
diff --git a/app/models/todo.rb b/app/models/todo.rb
index 8e4ee7c6..a39e5964 100644
--- a/app/models/todo.rb
+++ b/app/models/todo.rb
@@ -25,7 +25,7 @@ class Todo < ActiveRecord::Base
   has_many :pending_successors, -> {where('todos.state = ?', 'pending')}, :through => :predecessor_dependencies,
     :source => :successor
 
-  has_many :attachments, dependent: :delete_all
+  has_many :attachments, dependent: :destroy
 
   # scopes for states of this todo
   scope :active, -> { where state: 'active' }