diff --git a/src/controllers/07-task-controller.ts b/src/controllers/07-task-controller.ts
index d342fac..a23d2f3 100644
--- a/src/controllers/07-task-controller.ts
+++ b/src/controllers/07-task-controller.ts
@@ -3,6 +3,7 @@ import {
   Controller,
   Delete,
   Get,
+  Head,
   Path,
   Post,
   Put,
@@ -23,6 +24,7 @@ import {
 } from "../services/permission";
 import HttpError from "../interfaces/http-error";
 import HttpStatus from "../interfaces/http-status";
+import { deleteFile, fileLocation, getFile, getPresigned, listFile, setFile } from "../utils/minio";
 
 const MANAGE_ROLES = ["system", "head_of_admin", "admin", "document_checker"];
 
@@ -378,4 +380,53 @@ export class TaskActionController extends Controller {
 
 @Route("api/v1/task-order/{taskId}")
 @Tags("Task Order")
-export class TaskOrderAttachmentController extends Controller {}
+export class TaskOrderAttachmentController extends Controller {
+  private async checkPermission(user: RequestWithUser["user"], id: string) {
+    const data = await prisma.taskOrder.findUnique({
+      include: { registeredBranch: { include: branchRelationPermInclude(user) } },
+      where: { id },
+    });
+    if (!data) throw notFoundError("Branch");
+    await permissionCheck(user, data.registeredBranch);
+  }
+  @Get("attachment")
+  @Security("keycloak")
+  async listAttachment(@Request() req: RequestWithUser, @Path() taskId: string) {
+    await this.checkPermission(req.user, taskId);
+    return await listFile(fileLocation.task.attachment(taskId));
+  }
+
+  @Get("attachment/{name}")
+  @Security("keycloak")
+  async getAttachment(@Path() taskId: string, @Path() name: string) {
+    return await getFile(fileLocation.task.attachment(taskId, name));
+  }
+
+  @Head("attachment/{name}")
+  @Security("keycloak")
+  async headAttachment(@Path() taskId: string, @Path() name: string) {
+    return await getPresigned("head", fileLocation.task.attachment(taskId, name));
+  }
+
+  @Put("attachment/{name}")
+  @Security("keycloak")
+  async putAttachment(
+    @Request() req: RequestWithUser,
+    @Path() taskId: string,
+    @Path() name: string,
+  ) {
+    await this.checkPermission(req.user, taskId);
+    return await setFile(fileLocation.task.attachment(taskId, name));
+  }
+
+  @Delete("attachment/{name}")
+  @Security("keycloak")
+  async delAttachment(
+    @Request() req: RequestWithUser,
+    @Path() taskId: string,
+    @Path() name: string,
+  ) {
+    await this.checkPermission(req.user, taskId);
+    return await deleteFile(fileLocation.task.attachment(taskId, name));
+  }
+}