diff --git a/lib/classes/JsonApi/Routes/Files/Authority.php b/lib/classes/JsonApi/Routes/Files/Authority.php
index 8f25bb6cc914aede63582812e9e918b456671aad..7f845588195aba3ebba2486c053520a187139a40 100644
--- a/lib/classes/JsonApi/Routes/Files/Authority.php
+++ b/lib/classes/JsonApi/Routes/Files/Authority.php
@@ -38,6 +38,11 @@ class Authority
         return $folder->isReadable($user->id);
     }
 
+    public static function canShowFolderFileRefs(User $user, \FolderType $folder)
+    {
+        return self::canShowFolder($user, $folder) || $folder->download_allowed;
+    }
+
     public static function canUpdateFolder(User $user, \FolderType $folder)
     {
         return $folder->isEditable($user->id);
diff --git a/lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php b/lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php
index 0ff060325459a6a60b7cc94aca15c0ad1484165f..994a4b4529200a3e6ed9d3e1c7879cb8e186aae8 100644
--- a/lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php
+++ b/lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php
@@ -24,7 +24,7 @@ class SubfilerefsIndex extends JsonApiController
             throw new RecordNotFoundException();
         }
 
-        if (!Authority::canShowFolder($this->getUser($request), $folder)) {
+        if (!Authority::canShowFolderFileRefs($this->getUser($request), $folder)) {
             throw new AuthorizationFailedException();
         }