diff --git a/app/models/issue.rb b/app/models/issue.rb
index 34f02b300..5da0b3395 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -213,7 +213,7 @@ class Issue < ApplicationRecord
 
   # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
   def attachments_editable?(user=User.current)
-    attributes_editable?(user)
+    visible?(user) && attributes_editable?(user)
   end
 
   # Returns true if user or current user is allowed to add notes to the issue
@@ -228,7 +228,7 @@ class Issue < ApplicationRecord
 
   # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_deletable?
   def attachments_deletable?(user=User.current)
-    attributes_editable?(user)
+    visible?(user) && attributes_editable?(user)
   end
 
   def initialize(attributes=nil, *args)
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index 5b286f264..be8fb0347 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -3628,4 +3628,26 @@ class IssueTest < ActiveSupport::TestCase
     r = Issue.like('issue today')
     assert_include Issue.find(7), r
   end
+
+  def test_attachments_editable_should_check_issue_visibility
+    # private issue
+    i = Issue.find(14)
+
+    # user jsmith has permission to view issue
+    assert i.attachments_editable?(User.find(2))
+
+    # user dlopper does not have permission to view issue
+    assert_not i.attachments_editable?(User.find(3))
+  end
+
+  def test_attachments_deletable_should_check_issue_visibility
+    # private issue
+    i = Issue.find(14)
+
+    # user jsmith has permission to view issue
+    assert i.attachments_deletable?(User.find(2))
+
+    # user dlopper does not have permission to view issue
+    assert_not i.attachments_deletable?(User.find(3))
+  end
 end