diff --git a/media/css/seahub.css b/media/css/seahub.css
index 596a85e8e9..20d14c1bf5 100644
--- a/media/css/seahub.css
+++ b/media/css/seahub.css
@@ -3533,16 +3533,20 @@ textarea:-moz-placeholder {/* for FF */
 }
 
 /* user & group folder perm */
+#share-popup .tabs-panel,
 #folder-perm-tabs .tabs-panel {
     width:550px;
 }
+#share-popup .share-permission-select,
 #folder-perm-tabs .perm-select {
     height:30px;
 }
+#share-popup .submit,
 #folder-perm-tabs .submit {
     margin-top:2px;
     height:30px;
 }
+#share-popup table,
 #folder-perm-tabs table {
     margin-top:0;
 }
diff --git a/seahub/api2/endpoints/__init__.py b/seahub/api2/endpoints/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/seahub/api2/endpoints/dir_shared_items.py b/seahub/api2/endpoints/dir_shared_items.py
new file mode 100644
index 0000000000..28e5d85bd9
--- /dev/null
+++ b/seahub/api2/endpoints/dir_shared_items.py
@@ -0,0 +1,399 @@
+import logging
+import json
+import os
+
+from django.http import HttpResponse
+from pysearpc import SearpcError
+from rest_framework import status
+from rest_framework.authentication import SessionAuthentication
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.throttling import UserRateThrottle
+from rest_framework.views import APIView
+import seaserv
+from seaserv import seafile_api
+
+from seahub.api2.authentication import TokenAuthentication
+from seahub.api2.permissions import IsRepoAccessible
+from seahub.api2.utils import api_error
+from seahub.base.templatetags.seahub_tags import email2nickname
+from seahub.share.signals import share_repo_to_user_successful
+from seahub.share.views import check_user_share_quota
+from seahub.utils import (is_org_context, is_valid_username,
+                          send_perm_audit_msg)
+
+
+logger = logging.getLogger(__name__)
+json_content_type = 'application/json; charset=utf-8'
+
+class DirSharedItemsEndpoint(APIView):
+    """Support uniform interface(list, share, unshare, modify) for sharing
+    library/folder to users/groups.
+    """
+    authentication_classes = (TokenAuthentication, SessionAuthentication)
+    permission_classes = (IsAuthenticated, IsRepoAccessible)
+    throttle_classes = (UserRateThrottle, )
+
+    def list_user_shared_items(self, request, repo_id, path):
+        username = request.user.username
+        if path == '/':
+            share_items = seafile_api.list_repo_shared_to(username, repo_id)
+        else:
+            share_items = seafile_api.get_shared_users_for_subdir(repo_id,
+                                                                  path, username)
+        ret = []
+        for item in share_items:
+            ret.append({
+                "share_type": "user",
+                "user_info": {
+                    "name": item.user,
+                    "nickname": email2nickname(item.user),
+                },
+                "permission": item.perm,
+            })
+        return ret
+
+    def list_group_shared_items(self, request, repo_id, path):
+        username = request.user.username
+        if path == '/':
+            share_items = seafile_api.list_repo_shared_group(username, repo_id)
+        else:
+            share_items = seafile_api.get_shared_groups_for_subdir(repo_id,
+                                                                   path, username)
+        ret = []
+        for item in share_items:
+            ret.append({
+                "share_type": "group",
+                "group_info": {
+                    "id": item.group_id,
+                    "name": seaserv.get_group(item.group_id).group_name,
+                },
+                "permission": item.perm,
+            })
+        return ret
+
+    def handle_shared_to_args(self, request):
+        share_type = request.GET.get('share_type', None)
+        shared_to_user = False
+        shared_to_group = False
+        if share_type:
+            for e in share_type.split(','):
+                e = e.strip()
+                if e not in ['user', 'group']:
+                    continue
+                if e == 'user':
+                    shared_to_user = True
+                if e == 'group':
+                    shared_to_group = True
+        else:
+            shared_to_user = True
+            shared_to_group = True
+
+        return (shared_to_user, shared_to_group)
+
+    def get_sub_repo_by_path(self, request, repo, path):
+        if path == '/':
+            raise Exception("Invalid path")
+
+        # get or create sub repo
+        username = request.user.username
+        if is_org_context(request):
+            org_id = request.user.org.org_id
+            sub_repo = seaserv.seafserv_threaded_rpc.get_org_virtual_repo(
+                org_id, repo.id, path, username)
+        else:
+            sub_repo = seafile_api.get_virtual_repo(repo.id, path, username)
+
+        return sub_repo
+
+    def get_or_create_sub_repo_by_path(self, request, repo, path):
+        username = request.user.username
+        sub_repo = self.get_sub_repo_by_path(request, repo, path)
+        if not sub_repo:
+            name = os.path.basename(path)
+            # create a sub-lib,
+            # use name as 'repo_name' & 'repo_desc' for sub_repo
+            if is_org_context(request):
+                org_id = request.user.org.org_id
+                sub_repo_id = seaserv.seafserv_threaded_rpc.create_org_virtual_repo(
+                    org_id, repo.id, path, name, name, username)
+            else:
+                sub_repo_id = seafile_api.create_virtual_repo(repo.id, path,
+                                                              name, name, username)
+            sub_repo = seafile_api.get_repo(sub_repo_id)
+
+        return sub_repo
+
+    def get(self, request, repo_id, format=None):
+        """List shared items(shared to users/groups) for a folder/library.
+        """
+        repo = seafile_api.get_repo(repo_id)
+        if not repo:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Repo not found.')
+
+        shared_to_user, shared_to_group = self.handle_shared_to_args(request)
+
+        path = request.GET.get('p', '/')
+        if seafile_api.get_dir_id_by_path(repo.id, path) is None:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Directory not found.')
+
+        ret = []
+        if shared_to_user:
+            ret += self.list_user_shared_items(request, repo_id, path)
+
+        if shared_to_group:
+            ret += self.list_group_shared_items(request, repo_id, path)
+
+        return HttpResponse(json.dumps(ret), status=200,
+                            content_type=json_content_type)
+
+    def post(self, request, repo_id, format=None):
+        """Update shared item permission.
+        """
+        username = request.user.username
+        repo = seafile_api.get_repo(repo_id)
+        if not repo:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Repo not found.')
+
+        shared_to_user, shared_to_group = self.handle_shared_to_args(request)
+
+        permission = request.DATA.get('permission', 'r')
+        if permission not in ['r', 'rw']:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Bad permission')
+
+        path = request.GET.get('p', '/')
+        if seafile_api.get_dir_id_by_path(repo.id, path) is None:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Directory not found.')
+
+        if path == '/':
+            shared_repo = repo
+        else:
+            try:
+                sub_repo = self.get_sub_repo_by_path(request, repo, path)
+                if sub_repo:
+                    shared_repo = sub_repo
+                else:
+                    return api_error(status.HTTP_400_BAD_REQUEST, 'No sub repo found')
+            except SearpcError as e:
+                logger.error(e)
+                return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, 'Failed to get sub repo')
+
+        if shared_to_user:
+            shared_to = request.GET.get('username')
+            if shared_to is None or not is_valid_username(shared_to):
+                return api_error(status.HTTP_400_BAD_REQUEST, 'Bad username.')
+
+            if is_org_context(request):
+                org_id = request.user.org.org_id
+                seaserv.seafserv_threaded_rpc.org_set_share_permission(
+                    org_id, shared_repo.id, username, shared_to, permission)
+            else:
+                seafile_api.set_share_permission(shared_repo.id, username,
+                                                 shared_to, permission)
+
+            send_perm_audit_msg('modify-repo-perm', username, shared_to,
+                                shared_repo.id, path, permission)
+
+        if shared_to_group:
+            gid = request.GET.get('group_id')
+            try:
+                gid = int(gid)
+            except ValueError:
+                return api_error(status.HTTP_400_BAD_REQUEST, 'Bad group id: %s' % gid)
+            group = seaserv.get_group(gid)
+            if not group:
+                return api_error(status.HTTP_400_BAD_REQUEST, 'Group not found: %s' % gid)
+
+            if is_org_context(request):
+                org_id = request.user.org.org_id
+                seaserv.seafserv_threaded_rpc.set_org_group_repo_permission(
+                    org_id, gid, shared_repo.id, permission)
+            else:
+                seafile_api.set_group_repo_permission(gid, shared_repo.id,
+                                                      permission)
+
+            send_perm_audit_msg('modify-repo-perm', username, gid,
+                                shared_repo.id, path, permission)
+
+        return HttpResponse(json.dumps({'success': True}), status=200,
+                            content_type=json_content_type)
+
+    def put(self, request, repo_id, format=None):
+        username = request.user.username
+        repo = seafile_api.get_repo(repo_id)
+        if not repo:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Repo not found.')
+
+        path = request.GET.get('p', '/')
+        if seafile_api.get_dir_id_by_path(repo.id, path) is None:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Directory not found.')
+
+        if path != '/':
+            try:
+                sub_repo = self.get_or_create_sub_repo_by_path(request, repo, path)
+            except SearpcError as e:
+                logger.error(e)
+                return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, 'Failed to get sub repo')
+        else:
+            sub_repo = None
+
+        share_type = request.DATA.get('share_type')
+        if share_type != 'user' and share_type != 'group':
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Bad share type')
+
+        permission = request.DATA.get('permission', 'r')
+        if permission not in ['r', 'rw']:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Bad permission')
+
+        shared_repo = repo if path == '/' else sub_repo
+        success, failed = [], []
+        if share_type == 'user':
+            share_to_users = request.DATA.getlist('username')
+            for to_user in share_to_users:
+                if not check_user_share_quota(username, shared_repo, users=[to_user]):
+                    return api_error(status.HTTP_403_FORBIDDEN,
+                                     'Failed to share: No enough quota.')
+
+                try:
+                    if is_org_context(request):
+                        org_id = request.user.org.org_id
+                        seaserv.seafserv_threaded_rpc.org_add_share(
+                            org_id, shared_repo.id, username, to_user,
+                            permission)
+                    else:
+                        seafile_api.share_repo(shared_repo.id, username,
+                                               to_user, permission)
+
+                    # send a signal when sharing repo successful
+                    share_repo_to_user_successful.send(sender=None,
+                                                       from_user=username,
+                                                       to_user=to_user,
+                                                       repo=shared_repo)
+                    success.append({
+                        "share_type": "user",
+                        "user_info": {
+                            "name": to_user,
+                            "nickname": email2nickname(to_user),
+                        },
+                        "permission": permission
+                    })
+
+                    send_perm_audit_msg('add-repo-perm', username, to_user,
+                                        shared_repo.id, path, permission)
+                except SearpcError as e:
+                    logger.error(e)
+                    failed.append(to_user)
+                    continue
+
+        if share_type == 'group':
+            group_ids = request.DATA.getlist('group_id')
+            for gid in group_ids:
+                try:
+                    gid = int(gid)
+                except ValueError:
+                    return api_error(status.HTTP_400_BAD_REQUEST, 'Bad group id: %s' % gid)
+                group = seaserv.get_group(gid)
+                if not group:
+                    return api_error(status.HTTP_400_BAD_REQUEST, 'Group not found: %s' % gid)
+
+                if not check_user_share_quota(username, shared_repo, groups=[group]):
+                    return api_error(status.HTTP_403_FORBIDDEN,
+                                     'Failed to share: No enough quota.')
+
+                try:
+                    if is_org_context(request):
+                        org_id = request.user.org.org_id
+                        seafile_api.add_org_group_repo(shared_repo.repo_id,
+                                                       org_id, gid, username,
+                                                       permission)
+                    else:
+                        seafile_api.set_group_repo(shared_repo.repo_id, gid,
+                                                   username, permission)
+
+                    success.append({
+                        "share_type": "group",
+                        "group_info": {
+                            "id": gid,
+                            "name": group.group_name,
+                        },
+                        "permission": permission
+                    })
+
+                    send_perm_audit_msg('add-repo-perm', username, gid,
+                                        shared_repo.id, path, permission)
+                except SearpcError as e:
+                    logger.error(e)
+                    failed.append(group.group_name)
+                    continue
+
+        return HttpResponse(json.dumps({
+            "success": success,
+            "failed": failed
+        }), status=200, content_type=json_content_type)
+
+    def delete(self, request, repo_id, format=None):
+        username = request.user.username
+        repo = seafile_api.get_repo(repo_id)
+        if not repo:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Repo not found.')
+
+        shared_to_user, shared_to_group = self.handle_shared_to_args(request)
+
+        path = request.GET.get('p', '/')
+        if seafile_api.get_dir_id_by_path(repo.id, path) is None:
+            return api_error(status.HTTP_400_BAD_REQUEST, 'Directory not found.')
+
+        if path == '/':
+            shared_repo = repo
+        else:
+            try:
+                sub_repo = self.get_sub_repo_by_path(request, repo, path)
+                if sub_repo:
+                    shared_repo = sub_repo
+                else:
+                    return api_error(status.HTTP_400_BAD_REQUEST, 'No sub repo found')
+            except SearpcError as e:
+                logger.error(e)
+                return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, 'Failed to get sub repo')
+
+        if shared_to_user:
+            shared_to = request.GET.get('username')
+            if shared_to is None or not is_valid_username(shared_to):
+                return api_error(status.HTTP_400_BAD_REQUEST, 'Bad argument.')
+
+            if is_org_context(request):
+                org_id = request.user.org.org_id
+                seaserv.seafserv_threaded_rpc.org_remove_share(
+                    org_id, shared_repo.id, username, shared_to)
+            else:
+                seaserv.remove_share(shared_repo.id, username, shared_to)
+
+            permission = seafile_api.check_permission_by_path(repo.id, path,
+                                                              shared_to)
+            send_perm_audit_msg('delete-repo-perm', username, shared_to,
+                                shared_repo.id, path, permission)
+
+        if shared_to_group:
+            group_id = request.GET.get('group_id')
+            try:
+                group_id = int(group_id)
+            except ValueError:
+                return api_error(status.HTTP_400_BAD_REQUEST, 'Bad group id')
+
+            # hacky way to get group repo permission
+            permission = ''
+            for e in seafile_api.list_repo_shared_group(username, shared_repo.id):
+                if e.group_id == group_id:
+                    permission = e.perm
+                    break
+
+            if is_org_context(request):
+                org_id = request.user.org.org_id
+                seaserv.del_org_group_repo(shared_repo.id, org_id, group_id)
+            else:
+                seafile_api.unset_group_repo(shared_repo.id, group_id, username)
+
+            send_perm_audit_msg('delete-repo-perm', username, group_id,
+                                shared_repo.id, path, permission)
+
+        return HttpResponse(json.dumps({'success': True}), status=200,
+                            content_type=json_content_type)
diff --git a/seahub/api2/urls.py b/seahub/api2/urls.py
index a7f924f7ab..a59551f855 100644
--- a/seahub/api2/urls.py
+++ b/seahub/api2/urls.py
@@ -3,6 +3,7 @@ from django.conf.urls.defaults import *
 from .views import *
 from .views_misc import ServerInfoView
 from .views_auth import LogoutDeviceView, ClientLoginTokenView
+from .endpoints.dir_shared_items import DirSharedItemsEndpoint
 
 
 urlpatterns = patterns('',
@@ -40,6 +41,7 @@ urlpatterns = patterns('',
     url(r'^repos/(?P<repo_id>[-0-9-a-f]{36})/dir/$', DirView.as_view(), name='DirView'),
     url(r'^repos/(?P<repo_id>[-0-9-a-f]{36})/dir/sub_repo/$', DirSubRepoView.as_view()),
     url(r'^repos/(?P<repo_id>[-0-9-a-f]{36})/dir/share/$', DirShareView.as_view()),
+    url(r'^repos/(?P<repo_id>[-0-9-a-f]{36})/dir/shared_items/$', DirSharedItemsEndpoint.as_view(), name="api2-dir-shared-items"),
     url(r'^repos/(?P<repo_id>[-0-9-a-f]{36})/dir/download/$', DirDownloadView.as_view()),
     url(r'^repos/(?P<repo_id>[-0-9-a-f]{36})/thumbnail/$', ThumbnailView.as_view(), name='api2-thumbnail'),
     url(r'^starredfiles/', StarredFileView.as_view(), name='starredfiles'),
diff --git a/seahub/api2/views.py b/seahub/api2/views.py
index 082c391bff..d016bc1a99 100644
--- a/seahub/api2/views.py
+++ b/seahub/api2/views.py
@@ -64,6 +64,7 @@ from seahub.shortcuts import get_first_object_or_none
 from seahub.signals import repo_created, share_file_to_user_successful
 from seahub.share.models import PrivateFileDirShare, FileShare, OrgFileShare, \
     UploadLinkShare
+from seahub.share.signals import share_repo_to_user_successful
 from seahub.share.views import list_shared_repos
 from seahub.utils import gen_file_get_url, gen_token, gen_file_upload_url, \
     check_filename_with_rename, is_valid_username, EVENTS_ENABLED, \
@@ -1851,7 +1852,10 @@ class FileDetailView(APIView):
             # get real path for sub repo
             real_path = repo.origin_path + path if repo.origin_path else path
             dirent = seafile_api.get_dirent_by_path(repo.store_id, real_path)
-            latest_contributor, last_modified = dirent.modifier, dirent.mtime
+            if dirent:
+                latest_contributor, last_modified = dirent.modifier, dirent.mtime
+            else:
+                latest_contributor, last_modified = None, 0
         except SearpcError as e:
             logger.error(e)
             latest_contributor, last_modified = None, 0
@@ -2284,6 +2288,7 @@ class DirShareView(APIView):
             share_file_to_user_successful.send(sender=None, priv_share_obj=pfds)
         return HttpResponse(json.dumps({}), status=200, content_type=json_content_type)
 
+
 class DirSubRepoView(APIView):
     authentication_classes = (TokenAuthentication, )
     permission_classes = (IsAuthenticated,)
diff --git a/seahub/auth/tokens.py b/seahub/auth/tokens.py
index 1599f533c8..91bb013a89 100644
--- a/seahub/auth/tokens.py
+++ b/seahub/auth/tokens.py
@@ -57,12 +57,12 @@ class PasswordResetTokenGenerator(object):
         key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
 
         # Ensure results are consistent across DB backends
-        try:
-            user_last_login = UserLastLogin.objects.get(username=user.email)
-            login_dt = user_last_login.last_login
-        except UserLastLogin.DoesNotExist:
+        user_last_login = UserLastLogin.objects.get_by_username(user.username)
+        if user_last_login is None:
             from seahub.utils.timeutils import dt
             login_dt = dt(user.ctime)
+        else:
+            login_dt = user_last_login.last_login
         login_timestamp = login_dt.replace(microsecond=0, tzinfo=None)
 
         value = (six.text_type(user.id) + user.enc_password +
diff --git a/seahub/base/models.py b/seahub/base/models.py
index 05103e7f5c..cdc4ada20f 100644
--- a/seahub/base/models.py
+++ b/seahub/base/models.py
@@ -120,7 +120,10 @@ class UserStarredFilesManager(models.Manager):
                 real_path = sfile.repo.origin_path + sfile.path if sfile.repo.origin_path else sfile.path
                 dirent = seafile_api.get_dirent_by_path(sfile.repo.store_id,
                                                         real_path)
-                sfile.last_modified = dirent.mtime
+                if dirent:
+                    sfile.last_modified = dirent.mtime
+                else:
+                    sfile.last_modified = 0
             except SearpcError as e:
                 logger.error(e)
                 sfile.last_modified = 0
@@ -152,18 +155,35 @@ class GroupEnabledModule(models.Model):
     module_name = models.CharField(max_length=20)
 
 ########## misc
+class UserLastLoginManager(models.Manager):
+    def get_by_username(self, username):
+        """Return last login record for a user, delete duplicates if there are
+        duplicated records.
+        """
+        try:
+            return self.get(username=username)
+        except UserLastLogin.DoesNotExist:
+            return None
+        except UserLastLogin.MultipleObjectsReturned:
+            dups = self.filter(username=username)
+            ret = dups[0]
+            for dup in dups[1:]:
+                dup.delete()
+                logger.warn('Delete duplicate user last login record: %s' % username)
+            return ret
+
 class UserLastLogin(models.Model):
     username = models.CharField(max_length=255, db_index=True)
     last_login = models.DateTimeField(default=timezone.now)
+    objects = UserLastLoginManager()
 
 def update_last_login(sender, user, **kwargs):
     """
     A signal receiver which updates the last_login date for
     the user logging in.
     """
-    try:
-        user_last_login = UserLastLogin.objects.get(username=user.username)
-    except UserLastLogin.DoesNotExist:
+    user_last_login = UserLastLogin.objects.get_by_username(user.username)
+    if user_last_login is None:
         user_last_login = UserLastLogin(username=user.username)
     user_last_login.last_login = timezone.now()
     user_last_login.save()
diff --git a/seahub/group/views.py b/seahub/group/views.py
index 8073836400..6c710d1308 100644
--- a/seahub/group/views.py
+++ b/seahub/group/views.py
@@ -1396,7 +1396,10 @@ def group_wiki(request, group, page_name="home"):
         path = '/' + dirent.obj_name
         try:
             dirent = seafile_api.get_dirent_by_path(repo.id, path)
-            latest_contributor, last_modified = dirent.modifier, dirent.mtime
+            if dirent:
+                latest_contributor, last_modified = dirent.modifier, dirent.mtime
+            else:
+                latest_contributor, last_modified = None, 0
         except SearpcError as e:
             logger.error(e)
             latest_contributor, last_modified = None, 0
diff --git a/seahub/share/views.py b/seahub/share/views.py
index 81f69ca36a..4fc14e33fe 100644
--- a/seahub/share/views.py
+++ b/seahub/share/views.py
@@ -359,7 +359,7 @@ def ajax_repo_remove_share(request):
 @login_required
 def repo_remove_share(request):
     """
-    If repo is shared from one person to another person, only these two peson
+    If repo is shared from one person to another person, only these two person
     can remove share.
     If repo is shared from one person to a group, then only the one share the
     repo and group staff can remove share.
diff --git a/seahub/templates/js/templates.html b/seahub/templates/js/templates.html
index 3472f87fec..6ee25009ef 100644
--- a/seahub/templates/js/templates.html
+++ b/seahub/templates/js/templates.html
@@ -325,8 +325,9 @@
                 <% if (user_perm == 'rw' && !repo_encrypted) { %>
             <li class="tab"><a href="#dir-upload-link-share" class="a">{% trans "Upload Link" %}</a></li>
                 <% } %>
-                <% if (!is_virtual && is_repo_owner) { %>
-            <li class="tab"><a href="#dir-private-share" class="a">{% trans "Private Share" %}</a></li>
+            <% if (!is_virtual && is_repo_owner) { %> {# dir private share #}
+            <li class="tab"><a href="#dir-user-share" class="a">{% trans "Share to user" %}</a></li>
+            <li class="tab"><a href="#dir-group-share" class="a">{% trans "Share to group" %}</a></li>
                 <% } %>
             <% } %>
         </ul>
@@ -420,28 +421,56 @@
 
                 <% if (!is_virtual && is_repo_owner) { %>
                     <% if (!repo_encrypted) { %>
-            <div id="dir-private-share" class="tabs-panel hide">
+            <div id="dir-user-share" class="tabs-panel hide">
                     <% } else { %>
-            <div id="dir-private-share" class="tabs-panel"> {# enc lib only has 'dir-private-share' #}
+            <div id="dir-user-share" class="tabs-panel">
                     <% } %>
-                <form id="dir-private-share-form" action="" class="hide">
-                    <label class="label">{% trans "People:" %}</label><br />
-                    <input type="hidden" name="emails" class="w100" /><br />
-
-                    <label class="label">{% trans "Groups:" %}</label><br />
-                    <select name="groups" class="w100" multiple="multiple"></select><br />
-
-                    <label class="label">{% trans "Permission:" %}</label><br />
-                    <select name="permission" class="share-permission-select w100">
-                        <option value="rw" selected="selected">{% trans "Read-Write"%}</option>
-                        <option value="r">{% trans "Read-Only"%}</option>
-                    </select>
-                    <p class="error hide"></p>
-                    <input type="submit" value="{% trans "Submit" %}" class="submit" />
-                </form>
+                <table>
+                    <tr>
+                        <th width="55%">{% trans "User" %}</th>
+                        <th width="25%">{% trans "Permission" %}</th>
+                        <th width="20%"></th>
+                    </tr>
+                    <tr id="add-dir-user-share-item">
+                        <td>
+                            <input type="hidden" name="emails" class="w100" />
+                        </td>
+                        <td>
+                            <select name="permission" class="share-permission-select w100">
+                                <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
+                                <option value="r">{% trans "Read-Only" %}</option>
+                            </select>
+                        </td>
+                        <td><input type="submit" value="{% trans "Submit" %}" class="submit" /></td>
+                    </tr>
+                </table>
+                <p class="error hide"></p>
             </div>
-                <% } %>
-            <% } %>
+
+            <div id="dir-group-share" class="tabs-panel hide">
+                <table>
+                    <tr>
+                        <th width="55%">{% trans "Group" %}</th>
+                        <th width="25%">{% trans "Permission" %}</th>
+                        <th width="20%"></th>
+                    </tr>
+                    <tr id="add-dir-group-share-item">
+                        <td>
+                            <select name="groups" class="w100" multiple="multiple"></select>
+                        </td>
+                        <td>
+                            <select name="permission" class="share-permission-select w100">
+                                <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
+                                <option value="r">{% trans "Read-Only" %}</option>
+                            </select>
+                        </td>
+                        <td><input type="submit" value="{% trans "Submit" %}" class="submit" /></td>
+                    </tr>
+                </table>
+                <p class="error hide"></p>
+            </div>
+                <% } %> {# if (!is_virtual && is_repo_owner) #}
+            <% } %> {# if is_dir #}
 
         </div>
     </div>
@@ -593,9 +622,9 @@
 </form>
 </script>
 <script type="text/template" id="folder-perm-item-tmpl">
-    <% if (is_user_perm) { %>
+    <% if (for_user) { %>
     <td>
-        <a href="{{ SITE_ROOT }}profile/<% print(encodeURIComponent(user)); %>/" target="_blank" title="<%- user %>"><%- user_name %></a>
+        <a href="{{ SITE_ROOT }}profile/<% print(encodeURIComponent(user)); %>/" target="_blank"><%- user_name %></a>
     </td>
     <% } else { %>
     <td>
@@ -624,7 +653,7 @@
         </select>
     </td>
     <td>
-        <img src="{{ MEDIA_URL }}img/rm.png" class="perm-delete-icon op-icon vh" alt="" title="{% trans "Delete" %}" />
+        <img src="{{ MEDIA_URL }}img/rm.png" class="delete-icon op-icon vh" alt="" title="{% trans "Delete" %}" />
     </td>
 </script>
 <script type="text/template" id="folder-perm-popup-tmpl">
diff --git a/seahub/templates/snippets/office_convert_js.html b/seahub/templates/snippets/office_convert_js.html
index e9c5a44abe..c06a528a84 100644
--- a/seahub/templates/snippets/office_convert_js.html
+++ b/seahub/templates/snippets/office_convert_js.html
@@ -20,7 +20,8 @@ var OfficePreviewer = function(file_id, preview_token) {
             $.param({file_id: this.file_id, page: page});
     }
     this.page_content_url = function(page) {
-        return "{% url 'office_convert_get_page' obj_id %}/" + page + '.page';
+        return "{% url 'office_convert_get_page' obj_id %}/"
+            + page + '.page?office_preview_token=' + this.preview_token;
     }
 
     var url = window.location.href;
diff --git a/seahub/test_utils.py b/seahub/test_utils.py
index feb71a2fb7..e8221e12c2 100644
--- a/seahub/test_utils.py
+++ b/seahub/test_utils.py
@@ -54,16 +54,20 @@ class Fixtures(Exam):
 
         return User.objects.create_user(password='secret', **kwargs)
 
-    def remove_user(self, email, source="DB"):
+    def remove_user(self, email=None, source="DB"):
+        if not email:
+            email = self.user.username
         ccnet_threaded_rpc.remove_emailuser(email, source)
 
     def create_repo(self, **kwargs):
         repo_id = seafile_api.create_repo('test-repo', '',
-                                          'test@test.com', None)
+                                          self.user.username, None)
         return repo_id
 
-    def remove_repo(self):
-        return seafile_api.remove_repo(self.repo.id)
+    def remove_repo(self, repo_id=None):
+        if not repo_id:
+            repo_id = self.repo.id
+        return seafile_api.remove_repo(repo_id)
 
     def create_file(self, **kwargs):
         seafile_api.post_empty_file(**kwargs)
diff --git a/seahub/utils/repo.py b/seahub/utils/repo.py
index 532bdb85b6..e8e1e28e7d 100644
--- a/seahub/utils/repo.py
+++ b/seahub/utils/repo.py
@@ -15,7 +15,8 @@ def list_dir_by_path(cmmt, path):
     if cmmt.root_id == EMPTY_SHA1:
         return []
     else:
-        return seafile_api.list_dir_by_commit_and_path(cmmt.repo_id, cmmt.id, path)
+        dirs = seafile_api.list_dir_by_commit_and_path(cmmt.repo_id, cmmt.id, path)
+        return dirs if dirs else []
 
 def get_sub_repo_abbrev_origin_path(repo_name, origin_path):
     """Return abbrev path for sub repo based on `repo_name` and `origin_path`.
diff --git a/seahub/views/__init__.py b/seahub/views/__init__.py
index e981e0357a..187022f8ff 100644
--- a/seahub/views/__init__.py
+++ b/seahub/views/__init__.py
@@ -217,6 +217,8 @@ def get_repo_dirents_with_perm(request, repo, commit, path, offset=-1, limit=-1)
     else:
         try:
             dir_id = seafile_api.get_dir_id_by_path(repo.id, path)
+            if not dir_id:
+                return ([], [], False)
             dirs = seafserv_threaded_rpc.list_dir_with_perm(repo.id, path,
                                                             dir_id, username,
                                                             offset, limit)
@@ -300,6 +302,8 @@ def get_repo_dirents(request, repo, commit, path, offset=-1, limit=-1):
             dirs = seafile_api.list_dir_by_commit_and_path(commit.repo_id,
                                                            commit.id, path,
                                                            offset, limit)
+            if not dirs:
+                return ([], [], False)
         except SearpcError as e:
             logger.error(e)
             return ([], [], False)
diff --git a/seahub/views/ajax.py b/seahub/views/ajax.py
index e757a85d86..12637748a0 100644
--- a/seahub/views/ajax.py
+++ b/seahub/views/ajax.py
@@ -1854,8 +1854,7 @@ def get_file_upload_url_ul(request, token):
                             status=403, content_type=content_type)
 
     acc_token = seafile_api.get_fileserver_access_token(repo_id, 'dummy',
-                                                        'upload',
-                                                        request.user.username,
+                                                        'upload', '',
                                                         use_onetime=False)
     url = gen_file_upload_url(acc_token, 'upload-aj')
     return HttpResponse(json.dumps({"url": url}), content_type=content_type)
diff --git a/seahub/views/file.py b/seahub/views/file.py
index f1034d5e86..fdc8437385 100644
--- a/seahub/views/file.py
+++ b/seahub/views/file.py
@@ -444,7 +444,10 @@ def _file_view(request, repo_id, path):
         # get real path for sub repo
         real_path = repo.origin_path + path if repo.origin_path else path
         dirent = seafile_api.get_dirent_by_path(repo.store_id, real_path)
-        latest_contributor, last_modified = dirent.modifier, dirent.mtime
+        if dirent:
+            latest_contributor, last_modified = dirent.modifier, dirent.mtime
+        else:
+            latest_contributor, last_modified = None, 0
     except SearpcError as e:
         logger.error(e)
         latest_contributor, last_modified = None, 0
@@ -1391,11 +1394,11 @@ def office_convert_get_page(request, path, internal=False):
         return HttpResponseForbidden()
 
     file_id = m.group(1)
-    # if path.endswith('file.css'):
-    #     pass
-    # else:
-    #     if request.office_preview_token != do_md5(file_id + settings.SECRET_KEY):
-    #         return HttpResponseForbidden()
+    if path.endswith('file.css'):
+        pass
+    else:
+        if request.office_preview_token != do_md5(file_id + settings.SECRET_KEY):
+            return HttpResponseForbidden()
 
     resp = get_office_converted_page(request, path, file_id, internal=internal)
     if path.endswith('.page'):
diff --git a/seahub/views/repo.py b/seahub/views/repo.py
index fc3ab4a1e6..2dd4531c42 100644
--- a/seahub/views/repo.py
+++ b/seahub/views/repo.py
@@ -374,6 +374,9 @@ def _download_dir_from_share_link(request, fileshare, repo, real_path):
         dirname = os.path.basename(real_path.rstrip('/'))
 
     dir_id = seafile_api.get_dir_id_by_path(repo.id, real_path)
+    if not dir_id:
+        return render_error(
+            request, _(u'Unable to download: folder not found.'))
 
     try:
         total_size = seaserv.seafserv_threaded_rpc.get_dir_size(
diff --git a/seahub/views/sysadmin.py b/seahub/views/sysadmin.py
index 39ed0496d9..cd60ae4c15 100644
--- a/seahub/views/sysadmin.py
+++ b/seahub/views/sysadmin.py
@@ -88,7 +88,8 @@ def sys_info(request):
 
     is_pro = is_pro_version()
     if is_pro:
-        license_dict = parse_license('../seafile-license.txt')
+        license_file = os.path.join(settings.PROJECT_ROOT, '../../seafile-license.txt')
+        license_dict = parse_license(license_file)
     else:
         license_dict = {}
     return render_to_response('sysadmin/sys_info.html', {
diff --git a/seahub/views/wiki.py b/seahub/views/wiki.py
index 8771905ed0..0ab21cf42f 100644
--- a/seahub/views/wiki.py
+++ b/seahub/views/wiki.py
@@ -66,8 +66,12 @@ def personal_wiki(request, page_name="home"):
         path = '/' + dirent.obj_name
         try:
             dirent = seafile_api.get_dirent_by_path(repo.id, path)
-            latest_contributor, last_modified = dirent.modifier, dirent.mtime
+            if dirent:
+                latest_contributor, last_modified = dirent.modifier, dirent.mtime
+            else:
+                latest_contributor, last_modified = None, 0
         except SearpcError as e:
+            logger.error(e)
             latest_contributor, last_modified = None, 0
 
         wiki_index_exists = True
diff --git a/seahub/wiki/utils.py b/seahub/wiki/utils.py
index 456cc5f857..6a4b7a3de3 100644
--- a/seahub/wiki/utils.py
+++ b/seahub/wiki/utils.py
@@ -98,6 +98,8 @@ def get_wiki_pages(repo):
     return pages in hashtable {normalized_name: page_name}
     """
     dir_id = seaserv.seafserv_threaded_rpc.get_dir_id_by_path(repo.id, '/')
+    if not dir_id:
+        return {}
     dirs = seafile_api.list_dir_by_dir_id(repo.id, dir_id)
     pages = {}
     for e in dirs:
diff --git a/static/scripts/app/views/folder-perm-item.js b/static/scripts/app/views/folder-perm-item.js
index c943582a6b..9978e2daab 100644
--- a/static/scripts/app/views/folder-perm-item.js
+++ b/static/scripts/app/views/folder-perm-item.js
@@ -29,7 +29,7 @@ define([
             'mouseleave': 'hidePermOpIcons',
             'click .perm-edit-icon': 'editIconClick',
             'change .perm-toggle-select': 'editPerm',
-            'click .perm-delete-icon': 'deletePerm'
+            'click .delete-icon': 'deletePerm'
         },
 
         showPermOpIcons: function () {
@@ -54,15 +54,15 @@ define([
                 'path': this.path,
                 'type': 'modify'
             };
-            var is_user_perm = this.item_data.is_user_perm;
-            if (is_user_perm) {
+            var for_user = this.item_data.for_user;
+            if (for_user) {
                 $.extend(post_data, {'user': this.item_data.user});
             } else {
                 $.extend(post_data, {'group_id': this.item_data.group_id});
             }
             $.ajax({
                 url: Common.getUrl({
-                    name: is_user_perm ? 'set_user_folder_perm' : 'set_group_folder_perm',
+                    name: for_user ? 'set_user_folder_perm' : 'set_group_folder_perm',
                     repo_id: this.repo_id
                 }),
                 type: 'POST',
@@ -81,7 +81,7 @@ define([
                     } else {
                         err = gettext("Failed. Please check the network.");
                     }
-                    if (is_user_perm) {
+                    if (for_user) {
                         $('#user-folder-perm .error').html(err).removeClass('hide');
                     } else {
                         $('#group-folder-perm .error').html(err).removeClass('hide');
@@ -97,15 +97,15 @@ define([
                 'path': this.path,
                 'type': 'delete'
             };
-            var is_user_perm = this.item_data.is_user_perm;
-            if (is_user_perm) {
+            var for_user = this.item_data.for_user;
+            if (for_user) {
                 $.extend(post_data, {'user': this.item_data.user});
             } else {
                 $.extend(post_data, {'group_id': this.item_data.group_id});
             }
             $.ajax({
                 url: Common.getUrl({
-                    name: is_user_perm ? 'set_user_folder_perm' : 'set_group_folder_perm',
+                    name: for_user ? 'set_user_folder_perm' : 'set_group_folder_perm',
                     repo_id: this.repo_id
                 }),
                 type: 'POST',
@@ -123,7 +123,7 @@ define([
                     } else {
                         err = gettext("Failed. Please check the network.");
                     }
-                    if (is_user_perm) {
+                    if (for_user) {
                         $('#user-folder-perm .error').html(err).removeClass('hide');
                     } else {
                         $('#group-folder-perm .error').html(err).removeClass('hide');
diff --git a/static/scripts/app/views/folder-perm.js b/static/scripts/app/views/folder-perm.js
index 76afdecbf3..1071ff954c 100644
--- a/static/scripts/app/views/folder-perm.js
+++ b/static/scripts/app/views/folder-perm.js
@@ -72,7 +72,7 @@ define([
                         var perm_item = new FolderPermItemView({
                             'repo_id': _this.repo_id,
                             'path': _this.path,
-                            'item_data':$.extend(item, {'is_user_perm': true})
+                            'item_data':$.extend(item, {'for_user': true})
                         });
                         $add_user_perm.after(perm_item.el);
                     });
@@ -81,7 +81,7 @@ define([
                         var perm_item = new FolderPermItemView({
                             'repo_id': _this.repo_id,
                             'path': _this.path,
-                            'item_data':$.extend(item, {'is_user_perm': false})
+                            'item_data':$.extend(item, {'for_user': false})
                         });
                         $add_group_perm.after(perm_item.el);
                     });
@@ -139,7 +139,7 @@ define([
                                 'user': email,
                                 'user_name': item.user_name,
                                 'perm': perm,
-                                'is_user_perm': true
+                                'for_user': true
                             }
                         });
                         form.after(perm_item.el);
@@ -188,7 +188,7 @@ define([
                             'repo_id': _this.repo_id,
                             'path': _this.path,
                             'item_data': {
-                                'is_user_perm': false,
+                                'for_user': false,
                                 'perm': perm,
                                 'group_id': item.group_id,
                                 'group_name': item.group_name
diff --git a/static/scripts/app/views/folder-share-item.js b/static/scripts/app/views/folder-share-item.js
new file mode 100644
index 0000000000..f3705148fc
--- /dev/null
+++ b/static/scripts/app/views/folder-share-item.js
@@ -0,0 +1,129 @@
+define([
+    'jquery',
+    'underscore',
+    'backbone',
+    'common'
+], function($, _, Backbone, Common) {
+    'use strict';
+
+    var FolderShareItemView = Backbone.View.extend({
+        tagName: 'tr',
+
+        template: _.template($('#folder-perm-item-tmpl').html()),
+
+        initialize: function(options) {
+            this.item_data = options.item_data;
+            this.repo_id = options.repo_id;
+            this.path = options.path;
+
+            this.render();
+        },
+
+        render: function () {
+            this.$el.html(this.template(this.item_data));
+            return this;
+        },
+
+        events: {
+            'mouseenter': 'showOpIcons',
+            'mouseleave': 'hideOpIcons',
+            'click .perm-edit-icon': 'editIconClick',
+            'change .perm-toggle-select': 'editPerm',
+            'click .delete-icon': 'del'
+        },
+
+        showOpIcons: function () {
+            this.$el.find('.op-icon').removeClass('vh');
+        },
+
+        hideOpIcons: function () {
+            this.$el.find('.op-icon').addClass('vh');
+        },
+
+        editIconClick: function (e) {
+            $(e.currentTarget).closest('td')
+                .find('.perm').addClass('hide').end()
+                .find('.perm-toggle-select').removeClass('hide');
+        },
+
+        editPerm: function (e) {
+            var _this = this;
+            var item_data = this.item_data;
+            var url = Common.getUrl({
+                    name: 'dir_shared_items',
+                    repo_id: this.repo_id
+                }) + '?p=' + encodeURIComponent(this.path);
+            if (item_data.for_user) {
+                url += '&share_type=user&username=' + encodeURIComponent(item_data.user);
+            } else {
+                url += '&share_type=group&group_id=' + encodeURIComponent(item_data.group_id);
+            }
+            var perm = $(e.currentTarget).val();
+            $.ajax({
+                url: url,
+                dataType: 'json',
+                method: 'POST',
+                beforeSend: Common.prepareCSRFToken,
+                data: {
+                    'permission': perm
+                },
+                success: function () {
+                    item_data.perm = perm;
+                    _this.render();
+                },
+                error: function(xhr) {
+                    var err_msg;
+                    if (xhr.responseText) {
+                        err_msg = gettext("Edit failed");
+                    } else {
+                        err_msg = gettext("Failed. Please check the network.");
+                    }
+                    if (item_data.for_user) {
+                        $('#dir-user-share .error').html(err_msg).removeClass('hide');
+                    } else {
+                        $('#dir-group-group .error').html(err_msg).removeClass('hide');
+                    }
+                }
+            });
+        },
+
+        del: function () {
+            var _this = this;
+            var item_data = this.item_data;
+            var url = Common.getUrl({
+                    name: 'dir_shared_items',
+                    repo_id: this.repo_id
+                }) + '?p=' + encodeURIComponent(this.path);
+            if (item_data.for_user) {
+                url += '&share_type=user&username=' + encodeURIComponent(item_data.user);
+            } else {
+                url += '&share_type=group&group_id=' + encodeURIComponent(item_data.group_id);
+            }
+            $.ajax({
+                url: url,
+                dataType: 'json',
+                method: 'DELETE',
+                beforeSend: Common.prepareCSRFToken,
+                success: function () {
+                    _this.remove();
+                },
+                error: function (xhr) {
+                    var err_msg;
+                    if (xhr.responseText) {
+                        err_msg = gettext("Delete failed");
+                    } else {
+                        err_msg = gettext("Failed. Please check the network.");
+                    }
+                    if (item_data.for_user) {
+                        $('#dir-user-share .error').html(err_msg).removeClass('hide');
+                    } else {
+                        $('#dir-group-group .error').html(err_msg).removeClass('hide');
+                    }
+                }
+            });
+        }
+
+    });
+
+    return FolderShareItemView;
+});
diff --git a/static/scripts/app/views/share.js b/static/scripts/app/views/share.js
index bbc1471b36..0608336e76 100644
--- a/static/scripts/app/views/share.js
+++ b/static/scripts/app/views/share.js
@@ -4,8 +4,9 @@ define([
     'backbone',
     'common',
     'jquery.ui.tabs',
-    'select2'
-], function($, _, Backbone, Common, Tabs, Select2) {
+    'select2',
+    'app/views/folder-share-item'
+], function($, _, Backbone, Common, Tabs, Select2, FolderShareItemView) {
     'use strict';
 
     var SharePopupView = Backbone.View.extend({
@@ -42,7 +43,17 @@ define([
                     this.uploadLinkPanelInit();
                 }
                 if (!this.is_virtual && this.is_repo_owner) {
-                    this.dirPrivateSharePanelInit();
+                    this.dirUserSharePanelInit();
+                    this.dirGroupSharePanelInit();
+
+                    var _this = this;
+                    $(document).on('click', function(e) {
+                        var target = e.target || event.srcElement;
+                        if (!_this.$('.perm-edit-icon, .perm-toggle-select').is(target)) {
+                            _this.$('.perm').removeClass('hide');
+                            _this.$('.perm-toggle-select').addClass('hide');
+                        }
+                    });
                 }
             }
         },
@@ -81,11 +92,9 @@ define([
             'click #cancel-share-upload-link': 'cancelShareUploadLink',
             'click #delete-upload-link': 'deleteUploadLink',
 
-            // file private share
-            'submit #file-private-share-form': 'filePrivateShare',
-
             // dir private share
-            'submit #dir-private-share-form': 'dirPrivateShare'
+            'click #add-dir-user-share-item .submit': 'dirUserShare',
+            'click #add-dir-group-share-item .submit': 'dirGroupShare'
         },
 
         highlightCheckbox: function (e) {
@@ -407,14 +416,50 @@ define([
             });
         },
 
-        dirPrivateSharePanelInit: function() {
-            // no 'share to all'
-            var form = this.$('#dir-private-share-form');
+        dirUserSharePanelInit: function() {
+            var form = this.$('#dir-user-share');
 
             $('[name="emails"]', form).select2($.extend({
-                width: '400px'
+                width: '297px'
             },Common.contactInputOptionsForSelect2()));
 
+            // show existing items
+            var $add_item = $('#add-dir-user-share-item');
+            var repo_id = this.repo_id, 
+                path = this.dirent_path;
+            Common.ajaxGet({
+                'get_url': Common.getUrl({
+                    name: 'dir_shared_items',
+                    repo_id: repo_id
+                }), 
+                'data': {
+                    'p': path,
+                    'share_type': 'user'
+                },
+                'after_op_success': function (data) {
+                    $(data).each(function(index, item) {
+                        var new_item = new FolderShareItemView({
+                            'repo_id': repo_id,
+                            'path': path,
+                            'item_data': {
+                                "user": item.user_info.name,
+                                "user_name": item.user_info.nickname,
+                                "perm": item.permission,
+                                'for_user': true
+                            }
+                        }); 
+                        $add_item.after(new_item.el);
+                    }); 
+                }
+            }); 
+
+            form.removeClass('hide');
+            this.$('.loading-tip').hide();
+        },
+
+        dirGroupSharePanelInit: function() {
+            var form = this.$('#dir-group-share');
+
             var groups = app.pageOptions.groups || [];
             var g_opts = '';
             for (var i = 0, len = groups.length; i < len; i++) {
@@ -422,59 +467,164 @@ define([
             }
             $('[name="groups"]', form).html(g_opts).select2({
                 placeholder: gettext("Select groups"),
-                width: '400px',
+                width: '297px',
                 escapeMarkup: function(m) { return m; }
             });
 
+            // show existing items
+            var $add_item = $('#add-dir-group-share-item');
+            var repo_id = this.repo_id, 
+                path = this.dirent_path;
+            Common.ajaxGet({
+                'get_url': Common.getUrl({
+                    name: 'dir_shared_items',
+                    repo_id: repo_id
+                }),
+                'data': {
+                    'p': path,
+                    'share_type': 'group'
+                },
+                'after_op_success': function (data) {
+                    $(data).each(function(index, item) {
+                        var new_item = new FolderShareItemView({
+                            'repo_id': repo_id,
+                            'path': path,
+                            'item_data': {
+                                "group_id": item.group_info.id,
+                                "group_name": item.group_info.name,
+                                "perm": item.permission,
+                                'for_user': false
+                            }
+                        });
+                        $add_item.after(new_item.el);
+                    });
+                }   
+            }); 
+
             form.removeClass('hide');
             this.$('.loading-tip').hide();
         },
 
-        dirPrivateShare: function () {
-            var form = this.$('#dir-private-share-form'),
-                form_id = form.attr('id');
+        dirUserShare: function () {
+            var panel = $('#dir-user-share');
+            var form = this.$('#add-dir-user-share-item');
 
-            var emails = $('[name="emails"]', form).val(), // string
-                groups = $('[name="groups"]', form).val(); // null or [group.id]
-
-            if (!emails && !groups) {
-                Common.showFormError(form_id, gettext("Please select a contact or a group."));
+            var emails_input = $('[name="emails"]', form),
+                emails = emails_input.val(); // string
+            if (!emails) {
                 return false;
             }
 
-            var post_data = {
-                'repo_id': this.repo_id,
-                'path': this.dirent_path
-            };
-            if (emails) {
-                post_data['emails'] = emails;
-            }
-            if (groups) {
-                post_data['groups'] = groups.join(',');
-            }
-            post_data['perm'] = $('[name="permission"]', form).val();
-            var post_url = Common.getUrl({name: 'private_share_dir'});
-            var after_op_success = function(data) {
-                $.modal.close();
-                var msg = gettext("Successfully shared to {placeholder}")
-                    .replace('{placeholder}', Common.HTMLescape(data['shared_success'].join(', ')));
-                Common.feedback(msg, 'success');
-                if (data['shared_failed'].length > 0) {
-                    msg += '<br />' + gettext("Failed to share to {placeholder}")
-                        .replace('{placeholder}', Common.HTMLescape(data['shared_failed'].join(', ')));
-                    Common.feedback(msg, 'info');
-                }
-            };
+            var $add_item = $('#add-dir-user-share-item');
+            var repo_id = this.repo_id, 
+                path = this.dirent_path;
+            var perm = $('[name="permission"]', form).val();
 
-            Common.ajaxPost({
-                'form': form,
-                'post_url': post_url,
-                'post_data': post_data,
-                'after_op_success': after_op_success,
-                'form_id': form_id
+            $.ajax({
+                url: Common.getUrl({
+                    name: 'dir_shared_items',
+                    repo_id: repo_id
+                }) + '?p=' + encodeURIComponent(path),
+                dataType: 'json',
+                method: 'PUT',
+                beforeSend: Common.prepareCSRFToken,
+                traditional: true,
+                data: {
+                    'share_type': 'user',
+                    'username': emails.split(','),
+                    'permission': perm
+                },
+                success: function(data) {
+                    $(data.success).each(function(index, item) {
+                        var new_item = new FolderShareItemView({
+                            'repo_id': repo_id,
+                            'path': path,
+                            'item_data': {
+                                "user": item.user_info.name,
+                                "user_name": item.user_info.nickname,
+                                "perm": item.permission,
+                                'for_user': true
+                            }
+                        });
+                        $add_item.after(new_item.el);
+                    });
+                    emails_input.select2("val", "");
+                    if (data.failed.length > 0) {
+                        var err_msg = gettext("Failed to share to {placeholder}")
+                            .replace('{placeholder}', Common.HTMLescape(data.failed.join(', ')));
+                        $('.error', panel).html(err_msg).removeClass('hide');
+                    }
+                },
+                error: function(xhr) {
+                    var err_msg;
+                    if (xhr.responseText) {
+                        err_msg = gettext("Share failed");
+                    } else {
+                        err_msg = gettext("Failed. Please check the network.")
+                    }
+                    $('.error', panel).html(err_msg).removeClass('hide');
+                }
+            });
+        },
+
+        dirGroupShare: function () {
+            var panel = $('#dir-group-share');
+            var form = this.$('#add-dir-group-share-item');
+
+            var groups_input = $('[name="groups"]', form),
+                groups = groups_input.val(); // null or [group.id]
+
+            if (!groups) {
+                return false;
+            }
+
+            var $add_item = $('#add-dir-group-share-item');
+            var repo_id = this.repo_id, 
+                path = this.dirent_path;
+            var perm = $('[name="permission"]', form).val();
+
+            $.ajax({
+                url: Common.getUrl({
+                    name: 'dir_shared_items',
+                    repo_id: repo_id
+                }) + '?p=' + encodeURIComponent(path),
+                dataType: 'json',
+                method: 'PUT',
+                beforeSend: Common.prepareCSRFToken,
+                traditional: true,
+                data: {
+                    'share_type': 'group',
+                    'group_id': groups,
+                    'permission': perm
+                },
+                success: function(data) {
+                    $(data.success).each(function(index, item) {
+                        var new_item = new FolderShareItemView({
+                            'repo_id': repo_id,
+                            'path': path,
+                            'item_data': {
+                                "group_id": item.group_info.id,
+                                "group_name": item.group_info.name,
+                                "perm": item.permission,
+                                'for_user': false
+                            }
+                        });
+                        $add_item.after(new_item.el);
+                    });
+                    groups_input.select2("val", "");
+                },
+                error: function(xhr) {
+                    var err_msg;
+                    if (xhr.responseText) {
+                        err_msg = gettext("Share failed");
+                    } else {
+                        err_msg = gettext("Failed. Please check the network.")
+                    }
+                    $('.error', panel).html(err_msg).removeClass('hide');
+                }
             });
-            return false;
         }
+
     });
 
     return SharePopupView;
diff --git a/static/scripts/common.js b/static/scripts/common.js
index 9245939930..b15d073fd3 100644
--- a/static/scripts/common.js
+++ b/static/scripts/common.js
@@ -95,7 +95,6 @@ define([
               case 'send_shared_upload_link': return siteRoot + 'share/upload_link/send/';
               case 'delete_shared_upload_link': return siteRoot + 'share/ajax/upload_link/remove/';
               case 'get_share_upload_link': return siteRoot + 'share/ajax/get-upload-link/';
-              case 'private_share_dir': return siteRoot + 'share/ajax/private-share-dir/';
               case 'get_popup_notices': return siteRoot + 'ajax/get_popup_notices/';
               case 'set_notices_seen': return siteRoot + 'ajax/set_notices_seen/';
               case 'get_unseen_notices_num': return siteRoot + 'ajax/unseen-notices-count/';
@@ -112,6 +111,7 @@ define([
               case 'starred_files': return siteRoot + 'api2/starredfiles/';
               case 'shared_repos': return siteRoot + 'api2/shared-repos/' + options.repo_id + '/';
               case 'search_user': return siteRoot + 'api2/search-user/';
+              case 'dir_shared_items': return siteRoot + 'api2/repos/' + options.repo_id + '/dir/shared_items/';
             }
         },
 
diff --git a/tests/api/endpoints/test_dir_shared_items.py b/tests/api/endpoints/test_dir_shared_items.py
new file mode 100644
index 0000000000..41d396385e
--- /dev/null
+++ b/tests/api/endpoints/test_dir_shared_items.py
@@ -0,0 +1,184 @@
+import json
+
+from seaserv import seafile_api
+
+from seahub.test_utils import BaseTestCase
+
+class DirSharedItemsTest(BaseTestCase):
+    def tearDown(self):
+        self.remove_repo()
+
+    def _add_shared_items(self):
+        sub_repo_id = seafile_api.create_virtual_repo(self.repo.id,
+                                                      self.folder,
+                                                      self.repo.name, '',
+                                                      self.user.username)
+        # A user shares a folder to admin with permission 'rw'.
+        seafile_api.share_repo(sub_repo_id, self.user.username,
+                               self.admin.username, 'rw')
+        # A user shares a folder to group with permission 'rw'.
+        seafile_api.set_group_repo(sub_repo_id, self.group.id,
+                                   self.user.username, 'rw')
+
+    def test_can_list_all(self):
+        self._add_shared_items()
+        self.login_as(self.user)
+
+        resp = self.client.get('/api2/repos/%s/dir/shared_items/?p=%s&share_type=user,group' % (
+            self.repo.id,
+            self.folder))
+
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert len(json_resp) == 2
+
+    def test_list_without_repo_permission(self):
+        self._add_shared_items()
+        self.login_as(self.admin)
+
+        resp = self.client.get('/api2/repos/%s/dir/shared_items/?p=%s&share_type=user,group' % (
+            self.repo.id,
+            self.folder))
+
+        self.assertEqual(403, resp.status_code)
+
+    def test_can_list_without_share_type_arg(self):
+        self._add_shared_items()
+        self.login_as(self.user)
+
+        resp = self.client.get('/api2/repos/%s/dir/shared_items/?p=%s' % (
+            self.repo.id,
+            self.folder))
+
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert len(json_resp) == 2
+
+    def test_can_share_folder_to_users(self):
+        self.login_as(self.user)
+
+        resp = self.client.put(
+            '/api2/repos/%s/dir/shared_items/?p=%s' % (self.repo.id,
+                                                       self.folder),
+            "share_type=user&username=a@a.com&username=b@b.com",
+            'application/x-www-form-urlencoded',
+        )
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert len(json_resp['success']) == 2
+        assert json_resp['success'][0]['permission'] == 'r'
+
+    def test_can_share_root_to_groups(self):
+        self.login_as(self.user)
+
+        grp1 = self.group
+        grp2 = self.create_group(group_name="test-grp2",
+                                 username=self.user.username)
+
+        resp = self.client.put(
+            '/api2/repos/%s/dir/shared_items/?p=/' % (self.repo.id),
+            "share_type=group&group_id=%d&group_id=%d&permission=rw" % (grp1.id, grp2.id),
+            'application/x-www-form-urlencoded',
+        )
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert len(json_resp['success']) == 2
+        assert json_resp['success'][0]['permission'] == 'rw'
+
+    def test_can_share_folder_to_groups(self):
+        self.login_as(self.user)
+
+        grp1 = self.group
+        grp2 = self.create_group(group_name="test-grp2",
+                                 username=self.user.username)
+
+        resp = self.client.put(
+            '/api2/repos/%s/dir/shared_items/?p=%s' % (self.repo.id,
+                                                       self.folder),
+            "share_type=group&group_id=%d&group_id=%d&permission=rw" % (grp1.id, grp2.id),
+            'application/x-www-form-urlencoded',
+        )
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert len(json_resp['success']) == 2
+        assert json_resp['success'][0]['permission'] == 'rw'
+
+    def test_can_modify_user_shared_repo(self):
+        self._add_shared_items()
+        self.login_as(self.user)
+
+        resp = self.client.post('/api2/repos/%s/dir/shared_items/?p=%s&share_type=user&username=%s' % (
+            self.repo.id,
+            self.folder,
+            self.admin.username), {
+                'permission': 'r'
+            }
+        )
+        json_resp = json.loads(resp.content)
+        assert json_resp['success'] is True
+
+        resp = self.client.get('/api2/repos/%s/dir/shared_items/?p=%s&share_type=user' % (
+            self.repo.id,
+            self.folder))
+        json_resp = json.loads(resp.content)
+        assert json_resp[0]['permission'] == 'r'
+
+    def test_can_modify_group_shared_repo(self):
+        self._add_shared_items()
+        self.login_as(self.user)
+
+        resp = self.client.post('/api2/repos/%s/dir/shared_items/?p=%s&share_type=group&group_id=%d' % (
+            self.repo.id,
+            self.folder,
+            self.group.id), {
+                'permission': 'r'
+            }
+        )
+        json_resp = json.loads(resp.content)
+        assert json_resp['success'] is True
+
+        resp = self.client.get('/api2/repos/%s/dir/shared_items/?p=%s&share_type=group' % (
+            self.repo.id,
+            self.folder))
+        json_resp = json.loads(resp.content)
+        assert json_resp[0]['permission'] == 'r'
+
+    def test_can_unshare_repo_to_user(self):
+        self._add_shared_items()
+        self.login_as(self.user)
+
+        resp = self.client.delete('/api2/repos/%s/dir/shared_items/?p=%s&share_type=user&username=%s' % (
+            self.repo.id,
+            self.folder,
+            self.admin.username
+        ))
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert json_resp['success'] is True
+
+        resp = self.client.get('/api2/repos/%s/dir/shared_items/?p=%s&share_type=user' % (
+            self.repo.id,
+            self.folder))
+
+        json_resp = json.loads(resp.content)
+        assert len(json_resp) == 0
+
+    def test_can_unshare_repo_to_group(self):
+        self._add_shared_items()
+        self.login_as(self.user)
+
+        resp = self.client.delete('/api2/repos/%s/dir/shared_items/?p=%s&share_type=group&group_id=%d' % (
+            self.repo.id,
+            self.folder,
+            self.group.id
+        ))
+        self.assertEqual(200, resp.status_code)
+        json_resp = json.loads(resp.content)
+        assert json_resp['success'] is True
+
+        resp = self.client.get('/api2/repos/%s/dir/shared_items/?p=%s&share_type=group' % (
+            self.repo.id,
+            self.folder))
+
+        json_resp = json.loads(resp.content)
+        assert len(json_resp) == 0