--- webfm.module.orig	2008-07-14 14:34:39.000000000 +0200
+++ webfm.module	2008-07-14 14:36:38.000000000 +0200
@@ -580,8 +580,12 @@
       break;
 
     case 'update':
-      $files = explode(',', $_POST['attachlist']);
-      webfm_dbupdate_attach($node->nid, $files);
+      // If the user cannot access webfm, $_POST['attachlist'] is always empty
+      // and therefore will delete existing attachments from the node.
+      if(user_access('access webfm')) {
+        $files = explode(',', $_POST['attachlist']);
+        webfm_dbupdate_attach($node->nid, $files);
+      }
       break;
   }
 }