diff --git a/changelog/unreleased/apps-viewmode.md b/changelog/unreleased/apps-viewmode.md
new file mode 100644
index 0000000000..634c08d3f7
--- /dev/null
+++ b/changelog/unreleased/apps-viewmode.md
@@ -0,0 +1,6 @@
+Bugfix: Apps: fixed viewMode resolution
+
+Currently, the viewMode passed on /app/open is taken without validating
+the actual user's permissions. This PR fixes this.
+
+https://github.com/cs3org/reva/pull/3805
diff --git a/internal/http/services/appprovider/appprovider.go b/internal/http/services/appprovider/appprovider.go
index c4366dc148..c57d9fbc78 100644
--- a/internal/http/services/appprovider/appprovider.go
+++ b/internal/http/services/appprovider/appprovider.go
@@ -449,19 +449,23 @@ func filterAppsByUserAgent(mimeTypes []*appregistry.MimeTypeInfo, userAgent stri
 }
 
 func resolveViewMode(res *provider.ResourceInfo, vm string) gateway.OpenInAppRequest_ViewMode {
+	var viewMode gateway.OpenInAppRequest_ViewMode
 	if vm != "" {
-		return utils.GetViewMode(vm)
+		viewMode = utils.GetViewMode(vm)
+	} else {
+		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE
 	}
-
-	var viewMode gateway.OpenInAppRequest_ViewMode
 	canEdit := res.PermissionSet.InitiateFileUpload
 	canView := res.PermissionSet.InitiateFileDownload
 
 	switch {
 	case canEdit && canView:
-		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE
+		// ok
 	case canView:
-		viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_ONLY
+		if viewMode == gateway.OpenInAppRequest_VIEW_MODE_READ_WRITE || viewMode == gateway.OpenInAppRequest_VIEW_MODE_PREVIEW {
+			// downgrade to the maximum permitted viewmode
+			viewMode = gateway.OpenInAppRequest_VIEW_MODE_READ_ONLY
+		}
 	default:
 		// no permissions, will return access denied
 		viewMode = gateway.OpenInAppRequest_VIEW_MODE_INVALID