diff --git a/app/controllers/resources_controller.rb b/app/controllers/resources_controller.rb
index 994aa703e2..5920489f2c 100644
--- a/app/controllers/resources_controller.rb
+++ b/app/controllers/resources_controller.rb
@@ -1,7 +1,7 @@
 class ResourcesController < ApplicationController
   include ExternallyRedirectable, AhoyTracking, TagAssignable, MentionableScopable
 
-  skip_before_action :authenticate_user!, only: [ :index, :show ]
+  skip_before_action :authenticate_user!, only: [ :index, :show, :download ]
 
   def index
     authorize!
diff --git a/app/policies/resource_policy.rb b/app/policies/resource_policy.rb
index 4a1adeccca..2cbf485bdd 100644
--- a/app/policies/resource_policy.rb
+++ b/app/policies/resource_policy.rb
@@ -18,7 +18,7 @@ def update?
   end
 
   def download?
-    true
+    show?
   end
 
   def filter_published?
diff --git a/spec/policies/resource_policy_spec.rb b/spec/policies/resource_policy_spec.rb
index 9fb7725073..1c0cfef5bc 100644
--- a/spec/policies/resource_policy_spec.rb
+++ b/spec/policies/resource_policy_spec.rb
@@ -93,17 +93,6 @@ def policy_for(record:, user:)
         expect(policy_for(record: published_resource, user: guest_user))
           .not_to be_allowed_to(:show?)
       end
-
-      it "can still reach a publicly visible resource that is hidden from search" do
-        hidden_public_resource = build_stubbed(
-          :resource,
-          published: false,
-          publicly_visible: true,
-          hidden_from_search: true
-        )
-        expect(policy_for(record: hidden_public_resource, user: guest_user))
-          .to be_allowed_to(:show?)
-      end
     end
   end
 
@@ -135,19 +124,40 @@ def policy_for(record:, user:)
   # -----------------------------------------
 
   describe "#download?" do
-    it "allows admin" do
-      expect(policy_for(record: private_resource, user: admin_user))
-        .to be_allowed_to(:download?)
+    context "admin" do
+      it "can download anything" do
+        expect(policy_for(record: private_resource, user: admin_user))
+          .to be_allowed_to(:download?)
+      end
     end
 
-    it "allows regular user" do
-      expect(policy_for(record: private_resource, user: regular_user))
-        .to be_allowed_to(:download?)
+    context "regular user" do
+      it "can download published resource" do
+        expect(policy_for(record: published_resource, user: regular_user))
+          .to be_allowed_to(:download?)
+      end
+
+      it "cannot download private resource" do
+        expect(policy_for(record: private_resource, user: regular_user))
+          .not_to be_allowed_to(:download?)
+      end
+
+      it "can download publicly visible resource" do
+        expect(policy_for(record: public_resource, user: regular_user))
+          .to be_allowed_to(:download?)
+      end
     end
 
-    it "allows guest" do
-      expect(policy_for(record: private_resource, user: guest_user))
-        .to be_allowed_to(:download?)
+    context "guest" do
+      it "can download publicly visible resource" do
+        expect(policy_for(record: public_resource, user: guest_user))
+          .to be_allowed_to(:download?)
+      end
+
+      it "cannot download published-only resource" do
+        expect(policy_for(record: published_resource, user: guest_user))
+          .not_to be_allowed_to(:download?)
+      end
     end
   end