diff --git a/internal/http/services/appprovider/appprovider.go b/internal/http/services/appprovider/appprovider.go
index c4366dc148e..c57d9fbc789 100644
--- a/internal/http/services/appprovider/appprovider.go
+++ b/internal/http/services/appprovider/appprovider.go
@@ -449,19 +449,23 @@ func filterAppsByUserAgent(mimeTypes []*appregistry.MimeTypeInfo, userAgent stri
 }
 
 func resolveViewMode(res *provider.ResourceInfo, vm string) gateway.OpenInAppRequest_ViewMode {
+	var viewMode gateway.OpenInAppRequest_ViewMode
 	if vm != "" {
-		return utils.GetViewMode(vm)
+		viewMode = utils.GetViewMode(vm)
+	} else {
+		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE
 	}
-
-	var viewMode gateway.OpenInAppRequest_ViewMode
 	canEdit := res.PermissionSet.InitiateFileUpload
 	canView := res.PermissionSet.InitiateFileDownload
 
 	switch {
 	case canEdit && canView:
-		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE
+		// ok
 	case canView:
-		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_ONLY
+		if viewMode == gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE || viewMode == gateway.OpenInAppRequest_VIEW_MODE_PREVIEW {
+			// downgrade to the maximum permitted viewmode
+			viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_ONLY
+		}
 	default:
 		// no permissions, will return access denied
 		viewMode = gateway.OpenInAppRequest_VIEW_MODE_INVALID