diff --git a/seahub/share/models.py b/seahub/share/models.py
index 5f0fcddb0d..55481caf37 100644
--- a/seahub/share/models.py
+++ b/seahub/share/models.py
@@ -151,6 +151,9 @@ class FileShare(models.Model):
         else:
             return False
 
+    def is_owner(self, owner):
+        return owner == self.username
+
 class OrgFileShareManager(models.Manager):
     def set_org_file_share(self, org_id, file_share):
         """Set a share link as org share link.
@@ -233,6 +236,9 @@ class UploadLinkShare(models.Model):
     def is_encrypted(self):
         return True if self.password is not None else False
 
+    def is_owner(self, owner):
+        return owner == self.username
+
 class PrivateFileDirShareManager(models.Manager):
     def add_private_file_share(self, from_user, to_user, repo_id, path, perm):
         """
diff --git a/seahub/share/urls.py b/seahub/share/urls.py
index 744bc3f59c..1bedc65f06 100644
--- a/seahub/share/urls.py
+++ b/seahub/share/urls.py
@@ -12,18 +12,13 @@ urlpatterns = patterns('',
     url(r'^remove/$', repo_remove_share, name='repo_remove_share'),
 
     url(r'^link/get/$', get_shared_link, name='get_shared_link'),
-    url(r'^link/remove/$', remove_shared_link, name='remove_shared_link'),
-
     url(r'^ajax/link/remove/$', ajax_remove_shared_link, name='ajax_remove_shared_link'),
 
     url(r'^link/send/$', send_shared_link, name='send_shared_link'),
     url(r'^link/save/$', save_shared_link, name='save_shared_link'),
 
     url(r'^upload_link/get/$', get_shared_upload_link, name='get_shared_upload_link'),
-    url(r'^upload_link/remove/$', remove_shared_upload_link, name='remove_shared_upload_link'),
-
     url(r'^ajax/upload_link/remove/$', ajax_remove_shared_upload_link, name='ajax_remove_shared_upload_link'),
-
     url(r'^upload_link/send/$', send_shared_upload_link, name='send_shared_upload_link'),
 
     url(r'^permission_admin/$', share_permission_admin, name='share_permission_admin'),
diff --git a/seahub/share/views.py b/seahub/share/views.py
index 52b32d25e3..2026e275ea 100644
--- a/seahub/share/views.py
+++ b/seahub/share/views.py
@@ -868,65 +868,36 @@ def get_shared_link(request):
     data = json.dumps({'token': token, 'shared_link': shared_link})
     return HttpResponse(data, status=200, content_type=content_type)
 
-@login_required
-def remove_shared_link(request):
-    """
-    Handle request to remove file shared link.
-    """
-    token = request.GET.get('t')
-
-    FileShare.objects.filter(token=token).delete()
-    next = request.META.get('HTTP_REFERER', None)
-    if not next:
-        next = reverse('share_admin')
-
-    messages.success(request, _(u'Removed successfully'))
-
-    return HttpResponseRedirect(next)
-
-
 @login_required_ajax
 def ajax_remove_shared_link(request):
-
+    username = request.user.username
     content_type = 'application/json; charset=utf-8'
     result = {}
 
     token = request.GET.get('t')
-
     if not token:
         result = {'error': _(u"Argument missing")}
         return HttpResponse(json.dumps(result), status=400, content_type=content_type)
 
     try:
         link = FileShare.objects.get(token=token)
-        link.delete()
-        result = {'success': True}
-        return HttpResponse(json.dumps(result), content_type=content_type)
-    except:
+    except FileShare.DoesNotExist:
         result = {'error': _(u"The link doesn't exist")}
         return HttpResponse(json.dumps(result), status=400, content_type=content_type)
 
+    if not link.is_owner(username):
+        result = {'error': _("Permission denied")}
+        return HttpResponse(json.dumps(result), status=403,
+                            content_type=content_type)
 
-@login_required
-def remove_shared_upload_link(request):
-    """
-    Handle request to remove shared upload link.
-    """
-    token = request.GET.get('t')
-
-    UploadLinkShare.objects.filter(token=token).delete()
-    next = request.META.get('HTTP_REFERER', None)
-    if not next:
-        next = reverse('share_admin')
-
-    messages.success(request, _(u'Removed successfully'))
-
-    return HttpResponseRedirect(next)
+    link.delete()
+    result = {'success': True}
+    return HttpResponse(json.dumps(result), content_type=content_type)
 
 
 @login_required_ajax
 def ajax_remove_shared_upload_link(request):
-
+    username = request.user.username
     content_type = 'application/json; charset=utf-8'
     result = {}
 
@@ -937,13 +908,18 @@ def ajax_remove_shared_upload_link(request):
 
     try:
         upload_link = UploadLinkShare.objects.get(token=token)
-        upload_link.delete()
-        result = {'success': True}
-        return HttpResponse(json.dumps(result), content_type=content_type)
-    except:
+    except UploadLinkShare.DoesNotExist:
         result = {'error': _(u"The link doesn't exist")}
         return HttpResponse(json.dumps(result), status=400, content_type=content_type)
 
+    if not upload_link.is_owner(username):
+        result = {'error': _("Permission denied")}
+        return HttpResponse(json.dumps(result), status=403,
+                            content_type=content_type)
+    upload_link.delete()
+    result = {'success': True}
+    return HttpResponse(json.dumps(result), content_type=content_type)
+
 
 @login_required_ajax
 def send_shared_link(request):
@@ -1075,6 +1051,14 @@ def gen_private_file_share(request, repo_id):
     file_or_dir = os.path.basename(path.rstrip('/'))
     username = request.user.username
 
+    next = request.META.get('HTTP_REFERER', None)
+    if not next:
+        next = SITE_ROOT
+
+    if not check_folder_permission(request, repo_id, file_or_dir):
+        messages.error(request, _('Permission denied'))
+        return HttpResponseRedirect(next)
+
     for email in [e.strip() for e in emails if e.strip()]:
         if not is_valid_username(email):
             continue
@@ -1096,9 +1080,6 @@ def gen_private_file_share(request, repo_id):
         share_file_to_user_successful.send(sender=None, priv_share_obj=pfds)
         messages.success(request, _('Successfully shared %s.') % file_or_dir)
 
-    next = request.META.get('HTTP_REFERER', None)
-    if not next:
-        next = SITE_ROOT
     return HttpResponseRedirect(next)
 
 @login_required
diff --git a/seahub/templates/sysadmin/sys_publink_admin.html b/seahub/templates/sysadmin/sys_publink_admin.html
index d25ec996bc..1257d409f2 100644
--- a/seahub/templates/sysadmin/sys_publink_admin.html
+++ b/seahub/templates/sysadmin/sys_publink_admin.html
@@ -22,7 +22,7 @@
         <td>{{ publink.ctime|translate_seahub_time }} </td>
         <td>{{ publink.view_cnt }}</td>
         <td>
-            <a class="op-icon vh" href="{% url 'remove_shared_link' %}?t={{ publink.token }}" title="{% trans "Remove" %}">
+            <a class="op-icon vh" href="{% url 'sys_publink_remove' %}?t={{ publink.token }}" title="{% trans "Remove" %}">
                 <img src="{{MEDIA_URL}}img/rm.png" alt="" />
             </a>
         </td>
diff --git a/seahub/templates/sysadmin/userinfo.html b/seahub/templates/sysadmin/userinfo.html
index de62fa866a..cf6f14c7f6 100644
--- a/seahub/templates/sysadmin/userinfo.html
+++ b/seahub/templates/sysadmin/userinfo.html
@@ -161,7 +161,7 @@
                     <td>{% trans "Download" %}</td>
                     <td>{{ link.view_cnt }}</td>
                     <td>
-                        <a class="op vh" href="{% url 'remove_shared_link' %}?t={{ link.token }}">{% trans "Remove"%}</a>
+                        <a class="op vh" href="{% url 'sys_publink_remove' %}?t={{ link.token }}">{% trans "Remove"%}</a>
                     </td>
                 {% else %}
                     <td class="alc"><img src="{{ MEDIA_URL }}img/folder-icon-24.png" alt="{% trans "Directory icon"%}" /></td>
@@ -170,7 +170,7 @@
                     <td>{% trans "Upload" %}</td>
                     <td>{{ link.view_cnt }}</td>
                     <td>
-                        <a class="op vh" href="{% url 'remove_shared_upload_link' %}?t={{ link.token }}">{% trans "Remove"%}</a>
+                        <a class="op vh" href="{% url 'sys_upload_link_remove' %}?t={{ link.token }}">{% trans "Remove"%}</a>
                     </td>
                 {% endif %}
             </tr>
diff --git a/seahub/urls.py b/seahub/urls.py
index 2cdd0385bb..d33827ada1 100644
--- a/seahub/urls.py
+++ b/seahub/urls.py
@@ -231,6 +231,8 @@ urlpatterns = patterns(
     url(r'^sys/orgadmin/(?P<org_id>\d+)/library/$', sys_org_info_library, name='sys_org_info_library'),
     url(r'^sys/orgadmin/(?P<org_id>\d+)/setting/$', sys_org_info_setting, name='sys_org_info_setting'),
     url(r'^sys/publinkadmin/$', sys_publink_admin, name='sys_publink_admin'),
+    url(r'^sys/publink/remove/$', sys_publink_remove, name='sys_publink_remove'),
+    url(r'^sys/uploadlink/remove/$', sys_upload_link_remove, name='sys_upload_link_remove'),
     url(r'^sys/notificationadmin/', notification_list, name='notification_list'),
     url(r'^sys/sudo/', sys_sudo_mode, name='sys_sudo_mode'),
     url(r'^useradmin/add/$', user_add, name="user_add"),
diff --git a/seahub/views/sysadmin.py b/seahub/views/sysadmin.py
index 2acacf7f9d..df370c1ef4 100644
--- a/seahub/views/sysadmin.py
+++ b/seahub/views/sysadmin.py
@@ -1511,6 +1511,36 @@ def sys_publink_admin(request):
         },
         context_instance=RequestContext(request))
 
+@login_required
+@sys_staff_required
+def sys_publink_remove(request):
+    """Remove share links.
+    """
+    token = request.GET.get('t')
+
+    FileShare.objects.filter(token=token).delete()
+    next = request.META.get('HTTP_REFERER', None)
+    if not next:
+        next = reverse('share_admin')
+
+    messages.success(request, _(u'Removed successfully'))
+    return HttpResponseRedirect(next)
+
+@login_required
+@sys_staff_required
+def sys_upload_link_remove(request):
+    """Remove shared upload links.
+    """
+    token = request.GET.get('t')
+
+    UploadLinkShare.objects.filter(token=token).delete()
+    next = request.META.get('HTTP_REFERER', None)
+    if not next:
+        next = reverse('share_admin')
+
+    messages.success(request, _(u'Removed successfully'))
+    return HttpResponseRedirect(next)
+
 @login_required
 @sys_staff_required
 def user_search(request):