2 files changed, 17 insertions, 0 deletions

diff --git a/apps/files/src/actions/viewInFolderAction.spec.ts b/apps/files/src/actions/viewInFolderAction.spec.ts
index 8aa8bc81922..bd618c8a89f 100644
--- a/apps/files/src/actions/viewInFolderAction.spec.ts
+++ b/apps/files/src/actions/viewInFolderAction.spec.ts
@@ -109,6 +109,18 @@ describe('View in folder action enabled tests', () => {
 		expect(action.enabled).toBeDefined()
 		expect(action.enabled!([folder], view)).toBe(false)
 	})
+
+	test('Disabled for files outside the user root folder', () => {
+		const file = new Folder({
+			id: 1,
+			source: 'https://cloud.domain.com/remote.php/dav/trashbin/admin/trash/image.jpg.d1731053878',
+			owner: 'admin',
+			permissions: Permission.READ,
+		})
+
+		expect(action.enabled).toBeDefined()
+		expect(action.enabled!([file], view)).toBe(false)
+	})
 })
 
 describe('View in folder action execute tests', () => {
diff --git a/apps/files/src/actions/viewInFolderAction.ts b/apps/files/src/actions/viewInFolderAction.ts
index 9a9775d1c65..eb145dc409f 100644
--- a/apps/files/src/actions/viewInFolderAction.ts
+++ b/apps/files/src/actions/viewInFolderAction.ts
@@ -36,6 +36,11 @@ export const action = new FileAction({
 			return false
 		}
 
+		// Can only view files that are in the user root folder
+		if (!node.root?.startsWith('/files')) {
+			return false
+		}
+
 		if (node.permissions === Permission.NONE) {
 			return false
 		}