diff --git a/api/service/file_service.go b/api/service/file_service.go
index f042b2b2d..a93dea599 100644
--- a/api/service/file_service.go
+++ b/api/service/file_service.go
@@ -326,6 +326,9 @@ func (svc *FileService) DownloadOriginalBuffer(id string, rangeHeader string, bu
 	if err != nil {
 		return nil, err
 	}
+	if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
+		return nil, err
+	}
 	if file.GetType() != model.FileTypeFile || file.GetSnapshotID() == nil {
 		return nil, errorpkg.NewFileIsNotAFileError(file)
 	}
@@ -333,9 +336,6 @@ func (svc *FileService) DownloadOriginalBuffer(id string, rangeHeader string, bu
 	if err != nil {
 		return nil, err
 	}
-	if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
-		return nil, err
-	}
 	if snapshot.HasOriginal() {
 		objectInfo, err := svc.s3.StatObject(snapshot.GetOriginal().Key, snapshot.GetOriginal().Bucket, minio.StatObjectOptions{})
 		if err != nil {
@@ -365,6 +365,9 @@ func (svc *FileService) DownloadPreviewBuffer(id string, rangeHeader string, buf
 	if err != nil {
 		return nil, err
 	}
+	if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
+		return nil, err
+	}
 	if file.GetType() != model.FileTypeFile || file.GetSnapshotID() == nil {
 		return nil, errorpkg.NewFileIsNotAFileError(file)
 	}
@@ -372,9 +375,6 @@ func (svc *FileService) DownloadPreviewBuffer(id string, rangeHeader string, buf
 	if err != nil {
 		return nil, err
 	}
-	if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
-		return nil, err
-	}
 	if snapshot.HasPreview() {
 		objectInfo, err := svc.s3.StatObject(snapshot.GetOriginal().Key, snapshot.GetOriginal().Bucket, minio.StatObjectOptions{})
 		if err != nil {
@@ -408,6 +408,9 @@ func (svc *FileService) DownloadThumbnailBuffer(id string, userID string) (*byte
 	if file.GetType() != model.FileTypeFile || file.GetSnapshotID() == nil {
 		return nil, nil, nil, errorpkg.NewFileIsNotAFileError(file)
 	}
+	if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
+		return nil, nil, nil, err
+	}
 	snapshot, err := svc.snapshotCache.Get(*file.GetSnapshotID())
 	if err != nil {
 		return nil, nil, nil, err