diff --git a/apps/server/src/routers/api/v1/media.rs b/apps/server/src/routers/api/v1/media.rs
index 12cbd64f7..90e0ef191 100644
--- a/apps/server/src/routers/api/v1/media.rs
+++ b/apps/server/src/routers/api/v1/media.rs
@@ -787,7 +787,7 @@ async fn get_media_file(
 ) -> APIResult<NamedFile> {
 	let db = &ctx.db;
 
-	let user = get_session_user(&session)?;
+	let user = enforce_session_permissions(&session, &[UserPermission::DownloadFile])?;
 	let age_restrictions = user
 		.age_restriction
 		.as_ref()
@@ -836,6 +836,7 @@ async fn convert_media(
 ) -> Result<(), APIError> {
 	let db = &ctx.db;
 
+	// TODO: if keeping, enforce permission
 	let user = get_session_user(&session)?;
 	let age_restrictions = user
 		.age_restriction