fix(gateway): issue secureview token correctly

kobergj · kobergj · commit 8f68f0520973 · 2025-01-30T10:13:09.000+01:00
Signed-off-by: jkoberg &lt;jkoberg@owncloud.com&gt;
diff --git a/changelog/unreleased/fix-viewdownload-permission.md b/changelog/unreleased/fix-viewdownload-permission.md
@@ -0,0 +1,5 @@
+Bugfix: Fix view&download permission issue
+
+When opening files with view&download permission (aka read), the appprovider would falsely issue a secureview token. This is fixed now.
+
+https://github.com/cs3org/reva/pull/5055
diff --git a/internal/grpc/services/gateway/appprovider.go b/internal/grpc/services/gateway/appprovider.go
@@ -189,7 +189,7 @@ func (s *svc) openLocalResources(ctx context.Context, ri *storageprovider.Resour
 
 func buildOpenInAppRequest(ctx context.Context, ri *storageprovider.ResourceInfo, vm gateway.OpenInAppRequest_ViewMode, tokenmgr token.Manager, accessToken string, opaque *typespb.Opaque) (*providerpb.OpenInAppRequest, error) {
 	// in case of a view only mode and a stat permission we need to create a view only token
-	if vm == gateway.OpenInAppRequest_VIEW_MODE_VIEW_ONLY && ri.GetPermissionSet().GetStat() {
+	if vm == gateway.OpenInAppRequest_VIEW_MODE_VIEW_ONLY && ri.GetPermissionSet().GetStat() && !ri.PermissionSet.GetInitiateFileDownload() {
 		// Limit scope to the resource
 		scope, err := scope.AddResourceInfoScope(ri, providerv1beta1.Role_ROLE_VIEWER, nil)
 		if err != nil {
