diff --git a/lib/Middleware/SessionMiddleware.php b/lib/Middleware/SessionMiddleware.php
index 1ef4bc6fc4a..ae95b7839c2 100644
--- a/lib/Middleware/SessionMiddleware.php
+++ b/lib/Middleware/SessionMiddleware.php
@@ -21,10 +21,12 @@
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
+use OCP\Constants;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotPermittedException;
 use OCP\IL10N;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager as ShareManager;
@@ -36,6 +38,7 @@ public function __construct(
 		private IRequest $request,
 		private SessionService $sessionService,
 		private DocumentService $documentService,
+		private ISession $session,
 		private IUserSession $userSession,
 		private IRootFolder $rootFolder,
 		private ShareManager $shareManager,
@@ -131,8 +134,25 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
 			} catch (ShareNotFound) {
 				throw new InvalidSessionException();
 			}
-			// Check if shareToken has access to document
-			if ($this->rootFolder->getUserFolder($share->getShareOwner())->getFirstNodeById($documentId) === null) {
+
+			$node = $this->rootFolder->getUserFolder($share->getShareOwner())->getFirstNodeById($documentId);
+			if ($node === null) {
+				throw new InvalidSessionException();
+			}
+
+			if ($share->getPassword() !== null) {
+				$shareId = $this->session->get('public_link_authenticated');
+				if ($share->getId() !== $shareId) {
+					throw new InvalidSessionException();
+				}
+			}
+
+			if ($share->getPermissions() & Constants::PERMISSION_READ !== Constants::PERMISSION_READ) {
+				throw new InvalidSessionException();
+			}
+
+			$attributes = $share->getAttributes();
+			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
 				throw new InvalidSessionException();
 			}
 		} else {