diff --git a/lib/Controller/WorkspaceController.php b/lib/Controller/WorkspaceController.php
index 57d90cd597f..2a9dcba8006 100644
--- a/lib/Controller/WorkspaceController.php
+++ b/lib/Controller/WorkspaceController.php
@@ -54,6 +54,7 @@
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\OCSController;
+use OCP\Constants;
 use OCP\DirectEditing\IManager as IDirectEditingManager;
 use OCP\DirectEditing\RegisterDirectEditorEvent;
 use OCP\EventDispatcher\IEventDispatcher;
@@ -62,6 +63,7 @@
 use OCP\Files\NotFoundException;
 use OCP\Files\StorageNotAvailableException;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IURLGenerator;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager;
@@ -89,7 +91,19 @@ class WorkspaceController extends OCSController {
 	/** @var IEventDispatcher */
 	private $eventDispatcher;
 
-	public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator,	WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, $userId) {
+	/** @var ISession */
+	private $session;
+
+	public function __construct($appName,
+								IRequest $request,
+								IRootFolder $rootFolder,
+								IManager $shareManager,
+								IDirectEditingManager $directEditingManager,
+								IURLGenerator $urlGenerator,
+								WorkspaceService $workspaceService,
+								IEventDispatcher $eventDispatcher,
+								ISession $session,
+								$userId) {
 		parent::__construct($appName, $request);
 		$this->rootFolder = $rootFolder;
 		$this->shareManager = $shareManager;
@@ -98,6 +112,7 @@ public function __construct($appName, IRequest $request, IRootFolder $rootFolder
 		$this->directEditingManager = $directEditingManager;
 		$this->urlGenerator = $urlGenerator;
 		$this->eventDispatcher = $eventDispatcher;
+		$this->session = $session;
 	}
 
 	/**
@@ -148,6 +163,15 @@ public function folder(string $path = '/'): DataResponse {
 	public function publicFolder(string $shareToken, string $path = '/'): DataResponse {
 		try {
 			$share = $this->shareManager->getShareByToken($shareToken);
+			if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
+				throw new ShareNotFound();
+			}
+			if ($share->getPassword() !== null) {
+				$shareId = $this->session->get('public_link_authenticated');
+				if ($share->getId() !== $shareId) {
+					throw new ShareNotFound();
+				}
+			}
 			$folder = $share->getNode()->get($path);
 			if ($folder instanceof Folder) {
 				$file = $this->workspaceService->getFile($folder);