From 54bc97b46b5435472aab65a5b9aa99474a72c2e4 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Tue, 17 Mar 2026 17:01:58 +0100
Subject: [PATCH 1/3] feat(share): provide `canDownload` getter on the share

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 lib/private/Share20/Share.php | 23 +++++++++++++++--------
 lib/public/Share/IShare.php   |  9 +++++++++
 2 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/lib/private/Share20/Share.php b/lib/private/Share20/Share.php
index 571efc8c4bef6..1069d0a706c1c 100644
--- a/lib/private/Share20/Share.php
+++ b/lib/private/Share20/Share.php
@@ -7,6 +7,7 @@
  */
 namespace OC\Share20;
 
+use OCP\Constants;
 use OCP\Files\Cache\ICacheEntry;
 use OCP\Files\File;
 use OCP\Files\FileInfo;
@@ -611,6 +612,19 @@ public function getReminderSent(): bool {
 		return $this->reminderSent;
 	}
 
+	public function canDownload(): bool {
+		if (($this->getPermissions() & Constants::PERMISSION_READ) === 0) {
+			return false;
+		}
+
+		$attributes = $this->getAttributes();
+		if ($attributes?->getAttribute('permissions', 'download') === false) {
+			return false;
+		}
+
+		return true;
+	}
+
 	public function canSeeContent(): bool {
 		$shareManager = Server::get(IManager::class);
 
@@ -620,13 +634,6 @@ public function canSeeContent(): bool {
 			return true;
 		}
 
-		// No "allow preview" header set, so we must check if
-		// the share has not explicitly disabled download permissions
-		$attributes = $this->getAttributes();
-		if ($attributes?->getAttribute('permissions', 'download') === false) {
-			return false;
-		}
-
-		return true;
+		return $this->canDownload();
 	}
 }
diff --git a/lib/public/Share/IShare.php b/lib/public/Share/IShare.php
index d3c0873a3afea..cb4a9c8c5d2c8 100644
--- a/lib/public/Share/IShare.php
+++ b/lib/public/Share/IShare.php
@@ -653,6 +653,15 @@ public function getReminderSent(): bool;
 	 * Check if the current user can see this share files contents.
 	 * This will check the download permissions as well as the global
 	 * admin setting to allow viewing files without downloading.
+	 *
+	 * @since 32.0.0
 	 */
 	public function canSeeContent(): bool;
+
+	/**
+	 * Check if it is allowed to download this share.
+	 *
+	 * @since 34.0.0
+	 */
+	public function canDownload(): bool;
 }

From 480ec68655a1e5cbc4b67693c0b16cfb4e427945 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Tue, 17 Mar 2026 17:02:21 +0100
Subject: [PATCH 2/3] fix: use `canDownload` for permissions on federated
 shares

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 .../lib/Controller/MountPublicLinkController.php             | 5 ++---
 .../files_sharing/lib/DefaultPublicShareTemplateProvider.php | 2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php b/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
index 2cc583639f3fd..cf755610dca2f 100644
--- a/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
+++ b/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
@@ -18,7 +18,6 @@
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\JSONResponse;
-use OCP\Constants;
 use OCP\Federation\ICloudIdManager;
 use OCP\HintException;
 use OCP\Http\Client\IClientService;
@@ -108,9 +107,9 @@ public function createFederatedShare($shareWith, $token, $password = '') {
 			return $response;
 		}
 
-		if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
+		if (!$share->canDownload()) {
 			$response = new JSONResponse(
-				['message' => 'Mounting file drop not supported'],
+				['message' => 'Mounting download restricted share is not allowed'],
 				Http::STATUS_BAD_REQUEST
 			);
 			$response->throttle();
diff --git a/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php b/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php
index f75922fc37ddc..fe047ce9081d3 100644
--- a/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php
+++ b/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php
@@ -153,7 +153,7 @@ public function renderPage(IShare $share, string $token, string $path): Template
 
 		// Create the header action menu
 		$headerActions = [];
-		if ($view !== 'public-file-drop' && !$share->getHideDownload()) {
+		if ($share->canDownload() && !$share->getHideDownload()) {
 			// The download URL is used for the "download" header action as well as in some cases for the direct link
 			$downloadUrl = $this->urlGenerator->getAbsoluteURL('/public.php/dav/files/' . $token . '/?accept=zip');
 

From 35f0e571b8a949be174daacbc45974ac91c5d112 Mon Sep 17 00:00:00 2001
From: Ferdinand Thiessen <opensource@fthiessen.de>
Date: Tue, 17 Mar 2026 23:01:48 +0100
Subject: [PATCH 3/3] chore: adjust version comment

Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
---
 lib/public/Share/IShare.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/public/Share/IShare.php b/lib/public/Share/IShare.php
index cb4a9c8c5d2c8..b268fd00758f3 100644
--- a/lib/public/Share/IShare.php
+++ b/lib/public/Share/IShare.php
@@ -661,7 +661,7 @@ public function canSeeContent(): bool;
 	/**
 	 * Check if it is allowed to download this share.
 	 *
-	 * @since 34.0.0
+	 * @since 33.0.1
 	 */
 	public function canDownload(): bool;
 }