diff --git a/changelog/unreleased/fix-viewdownload-permission.md b/changelog/unreleased/fix-viewdownload-permission.md
new file mode 100644
index 0000000000..6f841e61d5
--- /dev/null
+++ b/changelog/unreleased/fix-viewdownload-permission.md
@@ -0,0 +1,5 @@
+Bugfix: Fix view&download permission issue
+
+When opening files with view&download permission (aka read), the appprovider would falsely issue a secureview token. This is fixed now.
+
+https://github.com/cs3org/reva/pull/5055
diff --git a/internal/grpc/services/gateway/appprovider.go b/internal/grpc/services/gateway/appprovider.go
index fa77ef157a..4c8ae3e0ba 100644
--- a/internal/grpc/services/gateway/appprovider.go
+++ b/internal/grpc/services/gateway/appprovider.go
@@ -189,7 +189,7 @@ func (s *svc) openLocalResources(ctx context.Context, ri *storageprovider.Resour
 
 func buildOpenInAppRequest(ctx context.Context, ri *storageprovider.ResourceInfo, vm gateway.OpenInAppRequest_ViewMode, tokenmgr token.Manager, accessToken string, opaque *typespb.Opaque) (*providerpb.OpenInAppRequest, error) {
 	// in case of a view only mode and a stat permission we need to create a view only token
-	if vm == gateway.OpenInAppRequest_VIEW_MODE_VIEW_ONLY && ri.GetPermissionSet().GetStat() {
+	if vm == gateway.OpenInAppRequest_VIEW_MODE_VIEW_ONLY && ri.GetPermissionSet().GetStat() && !ri.PermissionSet.GetInitiateFileDownload() {
 		// Limit scope to the resource
 		scope, err := scope.AddResourceInfoScope(ri, providerv1beta1.Role_ROLE_VIEWER, nil)
 		if err != nil {