diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
index 2c1be428e843c0054e283a780618f201297a1cdb..38c2a053a9eb575d90f09a5da8b7c5a011a09304 100644
--- a/apps/files/ajax/upload.php
+++ b/apps/files/ajax/upload.php
@@ -7,6 +7,8 @@ OCP\JSON::setContentTypeHeader('text/plain');
 // If not, check the login.
 // If no token is sent along, rely on login only
 
+$allowedPermissions = OCP\PERMISSION_ALL;
+
 $l = OC_L10N::get('files');
 if (empty($_POST['dirToken'])) {
 	// The standard case, files are uploaded through logged in users :)
@@ -17,6 +19,9 @@ if (empty($_POST['dirToken'])) {
 		die();
 	}
 } else {
+	// return only read permissions for public upload
+	$allowedPermissions = OCP\PERMISSION_READ;
+
 	$linkItem = OCP\Share::getShareByToken($_POST['dirToken']);
 	if ($linkItem === false) {
 		OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token')))));
@@ -130,7 +135,7 @@ if (strpos($dir, '..') === false) {
 							'originalname' => $files['tmp_name'][$i],
 							'uploadMaxFilesize' => $maxUploadFileSize,
 							'maxHumanFilesize' => $maxHumanFileSize,
-							'permissions' => $meta['permissions'] & OCP\PERMISSION_READ
+							'permissions' => $meta['permissions'] & $allowedPermissions
 						);
 					}
 
@@ -156,7 +161,7 @@ if (strpos($dir, '..') === false) {
 					'originalname' => $files['tmp_name'][$i],
 					'uploadMaxFilesize' => $maxUploadFileSize,
 					'maxHumanFilesize' => $maxHumanFileSize,
-					'permissions' => $meta['permissions'] & OCP\PERMISSION_READ
+					'permissions' => $meta['permissions'] & $allowedPermissions
 				);
 			}
 		}