Issue SecureView Token correctly

changelog/unreleased/fix-viewdownload-permission.md

@@ -0,0 +1,5 @@
+Bugfix: Fix view&download permission issue
+
+When opening files with view&download permission (aka read), the appprovider would falsely issue a secureview token. This is fixed now.
+
+https://github.com/cs3org/reva/pull/5055

internal/grpc/services/gateway/appprovider.go

@@ -189,7 +189,7 @@ func (s *svc) openLocalResources(ctx context.Context, ri *storageprovider.Resour
 
 func buildOpenInAppRequest(ctx context.Context, ri *storageprovider.ResourceInfo, vm gateway.OpenInAppRequest_ViewMode, tokenmgr token.Manager, accessToken string, opaque *typespb.Opaque) (*providerpb.OpenInAppRequest, error) {
 	// in case of a view only mode and a stat permission we need to create a view only token
-	if vm == gateway.OpenInAppRequest_VIEW_MODE_VIEW_ONLY && ri.GetPermissionSet().GetStat() {
+	if vm == gateway.OpenInAppRequest_VIEW_MODE_VIEW_ONLY && ri.GetPermissionSet().GetStat() && !ri.PermissionSet.GetInitiateFileDownload() {
 		// Limit scope to the resource
 		scope, err := scope.AddResourceInfoScope(ri, providerv1beta1.Role_ROLE_VIEWER, nil)
 		if err != nil {