core/modules/file/file.permissions.yml             | 4 ++++
 core/modules/file/src/FileAccessControlHandler.php | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/core/modules/file/file.permissions.yml b/core/modules/file/file.permissions.yml
index 8575f20..afff9b5 100644
--- a/core/modules/file/file.permissions.yml
+++ b/core/modules/file/file.permissions.yml
@@ -1,2 +1,6 @@
 access files overview:
   title: 'Access the Files overview page'
+
+administer files:
+  title: 'Administer files'
+  restrict access: true
diff --git a/core/modules/file/src/FileAccessControlHandler.php b/core/modules/file/src/FileAccessControlHandler.php
index a310c5f..2193f92 100644
--- a/core/modules/file/src/FileAccessControlHandler.php
+++ b/core/modules/file/src/FileAccessControlHandler.php
@@ -22,7 +22,12 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
     /** @var \Drupal\file\FileInterface $entity */
     if ($operation == 'download' || $operation == 'view') {
       if (\Drupal::service('file_system')->uriScheme($entity->getFileUri()) === 'public') {
-        return AccessResult::allowedIfHasPermissions($account, ['access content', 'administer files'], 'OR');
+        if ($operation === 'download') {
+          return AccessResult::allowed();
+        }
+        else {
+          return AccessResult::allowedIfHasPermissions($account, ['access content', 'administer files'], 'OR');
+        }
       }
       elseif ($references = $this->getFileReferences($entity)) {
         foreach ($references as $field_name => $entity_map) {