diff --git a/lib/Controller/WorkspaceController.php b/lib/Controller/WorkspaceController.php
index de81efc2fb8..02dd2da02dc 100644
--- a/lib/Controller/WorkspaceController.php
+++ b/lib/Controller/WorkspaceController.php
@@ -55,6 +55,7 @@
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\OCSController;
+use OCP\Constants;
 use OCP\DirectEditing\IManager as IDirectEditingManager;
 use OCP\DirectEditing\RegisterDirectEditorEvent;
 use OCP\EventDispatcher\IEventDispatcher;
@@ -64,6 +65,7 @@
 use OCP\Files\NotPermittedException;
 use OCP\Files\StorageNotAvailableException;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IURLGenerator;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager;
@@ -95,7 +97,10 @@ class WorkspaceController extends OCSController {
 	/** @var LoggerInterface */
 	private $logger;
 
-	public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator,	WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, LoggerInterface $logger, $userId) {
+	/** @var ISession */
+	private $session;
+
+	public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator,	WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, LoggerInterface $logger, ISession $session, $userId) {
 		parent::__construct($appName, $request);
 		$this->rootFolder = $rootFolder;
 		$this->shareManager = $shareManager;
@@ -105,6 +110,7 @@ public function __construct($appName, IRequest $request, IRootFolder $rootFolder
 		$this->urlGenerator = $urlGenerator;
 		$this->eventDispatcher = $eventDispatcher;
 		$this->logger = $logger;
+		$this->session = $session;
 	}
 
 	/**
@@ -158,6 +164,15 @@ public function folder(string $path = '/'): DataResponse {
 	public function publicFolder(string $shareToken, string $path = '/'): DataResponse {
 		try {
 			$share = $this->shareManager->getShareByToken($shareToken);
+			if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
+				throw new ShareNotFound();
+			}
+			if ($share->getPassword() !== null) {
+				$shareId = $this->session->get('public_link_authenticated');
+				if ($share->getId() !== $shareId) {
+					throw new ShareNotFound();
+				}
+			}
 			$folder = $share->getNode()->get($path);
 			if ($folder instanceof Folder) {
 				$file = $this->workspaceService->getFile($folder);