From b940d493cfd1ab367d01d8626e401ee47998e582 Mon Sep 17 00:00:00 2001
From: Ron Lucke <lucke@elan-ev.de>
Date: Tue, 11 Jan 2022 07:32:04 +0000
Subject: [PATCH] Biest #465

---
 lib/classes/JsonApi/Routes/Files/Authority.php        | 5 +++++
 lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/classes/JsonApi/Routes/Files/Authority.php b/lib/classes/JsonApi/Routes/Files/Authority.php
index 8f25bb6cc91..7f845588195 100644
--- a/lib/classes/JsonApi/Routes/Files/Authority.php
+++ b/lib/classes/JsonApi/Routes/Files/Authority.php
@@ -38,6 +38,11 @@ class Authority
         return $folder->isReadable($user->id);
     }
 
+    public static function canShowFolderFileRefs(User $user, \FolderType $folder)
+    {
+        return self::canShowFolder($user, $folder) || $folder->download_allowed;
+    }
+
     public static function canUpdateFolder(User $user, \FolderType $folder)
     {
         return $folder->isEditable($user->id);
diff --git a/lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php b/lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php
index 0ff06032545..994a4b45292 100644
--- a/lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php
+++ b/lib/classes/JsonApi/Routes/Files/SubfilerefsIndex.php
@@ -24,7 +24,7 @@ class SubfilerefsIndex extends JsonApiController
             throw new RecordNotFoundException();
         }
 
-        if (!Authority::canShowFolder($this->getUser($request), $folder)) {
+        if (!Authority::canShowFolderFileRefs($this->getUser($request), $folder)) {
             throw new AuthorizationFailedException();
         }
 
-- 
GitLab