diff --git a/media/css/seahub.css b/media/css/seahub.css
index 39d0b779e4..0406ac5161 100644
--- a/media/css/seahub.css
+++ b/media/css/seahub.css
@@ -878,7 +878,7 @@ textarea:-moz-placeholder {/* for FF */
     }
     .nav-con-tabs-content {
         float:right;
-        width:550px;
+        width:564px;
         padding:0 1.4em 1em;
         min-height:150px;
         max-height:250px;
diff --git a/seahub/api2/endpoints/admin/group_owned_libraries.py b/seahub/api2/endpoints/admin/group_owned_libraries.py
index 4557e48914..78bb7682e5 100644
--- a/seahub/api2/endpoints/admin/group_owned_libraries.py
+++ b/seahub/api2/endpoints/admin/group_owned_libraries.py
@@ -18,7 +18,7 @@ from seahub.api2.endpoints.utils import api_check_group
 from seahub.signals import repo_created
 from seahub.utils import is_valid_dirent_name, is_org_context, \
         is_pro_version
-from seahub.utils.repo import get_library_storages, get_repo_owner
+from seahub.utils.repo import get_library_storages, get_repo_owner, get_available_repo_perms
 from seahub.utils.timeutils import timestamp_to_isoformat_timestr
 from seahub.share.signals import share_repo_to_group_successful
 from seahub.constants import PERMISSION_READ, PERMISSION_READ_WRITE
@@ -64,7 +64,7 @@ class AdminGroupOwnedLibraries(APIView):
         password = request.data.get("password", None)
 
         permission = request.data.get('permission', PERMISSION_READ_WRITE)
-        if permission not in [PERMISSION_READ, PERMISSION_READ_WRITE]:
+        if permission not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
diff --git a/seahub/api2/endpoints/admin/shares.py b/seahub/api2/endpoints/admin/shares.py
index bbfb87815a..0d89573a5c 100644
--- a/seahub/api2/endpoints/admin/shares.py
+++ b/seahub/api2/endpoints/admin/shares.py
@@ -23,6 +23,7 @@ from seahub.share.signals import share_repo_to_user_successful, share_repo_to_gr
 from seahub.base.accounts import User
 from seahub.base.templatetags.seahub_tags import email2nickname
 from seahub.utils import is_valid_username, send_perm_audit_msg
+from seahub.utils.repo import get_available_repo_perms
 from seahub.constants import PERMISSION_READ, PERMISSION_READ_WRITE, \
         PERMISSION_ADMIN
 
@@ -157,9 +158,7 @@ class AdminShares(APIView):
 
         # argument check
         permission = request.data.get('permission', None)
-        if not permission or permission not in (PERMISSION_READ, 
-                                                PERMISSION_READ_WRITE,
-                                                PERMISSION_ADMIN):
+        if not permission or permission not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -306,9 +305,7 @@ class AdminShares(APIView):
 
         # argument check
         permission = request.data.get('permission', None)
-        if not permission or permission not in (PERMISSION_READ, 
-                                                PERMISSION_READ_WRITE,
-                                                PERMISSION_ADMIN):
+        if not permission or permission not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
diff --git a/seahub/api2/endpoints/copy_move_task.py b/seahub/api2/endpoints/copy_move_task.py
index 6532db7440..d64b096662 100644
--- a/seahub/api2/endpoints/copy_move_task.py
+++ b/seahub/api2/endpoints/copy_move_task.py
@@ -17,7 +17,7 @@ from seahub.api2.views import HTTP_443_ABOVE_QUOTA
 
 from seahub.views import check_folder_permission
 from seahub.utils import check_filename_with_rename
-from seahub.utils.repo import get_repo_owner
+from seahub.utils.repo import get_repo_owner, parse_repo_perm
 from seahub.utils.file_op import check_file_lock
 from seahub.settings import MAX_PATH
 
@@ -193,7 +193,8 @@ class CopyMoveTaskView(APIView):
 
         if operation == 'copy':
             # permission check for src parent dir
-            if not check_folder_permission(request, src_repo_id, src_parent_dir):
+            if parse_repo_perm(check_folder_permission(
+                            request, src_repo_id, src_parent_dir)).can_copy is False:
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
diff --git a/seahub/api2/endpoints/dir_shared_items.py b/seahub/api2/endpoints/dir_shared_items.py
index c89cd7b593..ee602a2b22 100644
--- a/seahub/api2/endpoints/dir_shared_items.py
+++ b/seahub/api2/endpoints/dir_shared_items.py
@@ -34,6 +34,7 @@ from seahub.utils import (is_org_context, is_valid_username,
 from seahub.share.signals import share_repo_to_user_successful, share_repo_to_group_successful
 from seahub.constants import PERMISSION_READ, PERMISSION_READ_WRITE, \
         PERMISSION_ADMIN
+from seahub.utils.repo import get_available_repo_perms
 
 
 logger = logging.getLogger(__name__)
@@ -218,7 +219,7 @@ class DirSharedItemsEndpoint(APIView):
             return api_error(status.HTTP_404_NOT_FOUND, 'Folder %s not found.' % path)
 
         permission = request.data.get('permission', PERMISSION_READ)
-        if permission not in [PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN]:
+        if permission not in get_available_repo_perms():
             return api_error(status.HTTP_400_BAD_REQUEST, 'permission invalid.')
 
         repo_owner = self.get_repo_owner(request, repo_id)
@@ -299,7 +300,7 @@ class DirSharedItemsEndpoint(APIView):
             return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
 
         permission = request.data.get('permission', PERMISSION_READ)
-        if permission not in [PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN]:
+        if permission not in get_available_repo_perms():
             return api_error(status.HTTP_400_BAD_REQUEST, 'permission invalid.')
 
         result = {}
diff --git a/seahub/api2/endpoints/file.py b/seahub/api2/endpoints/file.py
index 91fa1c8008..94e9317d8b 100644
--- a/seahub/api2/endpoints/file.py
+++ b/seahub/api2/endpoints/file.py
@@ -24,6 +24,7 @@ from seahub.views import check_folder_permission
 from seahub.utils.file_op import check_file_lock, if_locked_by_online_office
 from seahub.views.file import can_preview_file, can_edit_file
 from seahub.constants import PERMISSION_READ_WRITE
+from seahub.utils.repo import parse_repo_perm
 
 from seahub.settings import MAX_UPLOAD_FILE_NAME_LEN, \
     FILE_LOCK_EXPIRATION_DAYS, OFFICE_TEMPLATE_ROOT
@@ -406,7 +407,9 @@ class FileView(APIView):
             # permission check for source file
             src_repo_id = repo_id
             src_dir = os.path.dirname(path)
-            if not check_folder_permission(request, src_repo_id, src_dir):
+
+            if parse_repo_perm(check_folder_permission(
+                            request, src_repo_id, src_dir)).can_copy is False:
                 error_msg = 'Permission denied.'
                 return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
diff --git a/seahub/api2/endpoints/group_libraries.py b/seahub/api2/endpoints/group_libraries.py
index f38db226bf..27bc758f2c 100644
--- a/seahub/api2/endpoints/group_libraries.py
+++ b/seahub/api2/endpoints/group_libraries.py
@@ -21,7 +21,7 @@ from seahub.group.utils import is_group_member, is_group_admin
 from seahub.utils import is_org_context, is_valid_dirent_name, \
         send_perm_audit_msg
 from seahub.utils.timeutils import timestamp_to_isoformat_timestr
-from seahub.utils.repo import get_repo_owner
+from seahub.utils.repo import get_repo_owner, get_available_repo_perms
 from seahub.share.models import ExtraGroupsSharePermission
 from seahub.share.signals import share_repo_to_group_successful
 from seahub.share.utils import is_repo_admin, check_group_share_in_permission, \
@@ -119,7 +119,7 @@ class GroupLibraries(APIView):
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
         permission = request.data.get('permission', PERMISSION_READ)
-        if permission not in [PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN]:
+        if permission not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
diff --git a/seahub/api2/endpoints/group_owned_libraries.py b/seahub/api2/endpoints/group_owned_libraries.py
index aab6f6ef4d..9cc698625d 100644
--- a/seahub/api2/endpoints/group_owned_libraries.py
+++ b/seahub/api2/endpoints/group_owned_libraries.py
@@ -29,7 +29,9 @@ from seahub.group.utils import is_group_admin
 from seahub.utils import is_valid_dirent_name, is_org_context, \
         is_pro_version, normalize_dir_path, is_valid_username, \
         send_perm_audit_msg, is_valid_org_id
-from seahub.utils.repo import get_library_storages, get_repo_owner
+from seahub.utils.repo import (
+    get_library_storages, get_repo_owner, get_available_repo_perms
+)
 from seahub.utils.timeutils import timestamp_to_isoformat_timestr
 from seahub.utils.rpc import SeafileAPI
 from seahub.share.signals import share_repo_to_user_successful, share_repo_to_group_successful
@@ -312,7 +314,7 @@ class GroupOwnedLibraryUserFolderPermission(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
         perm = request.data.get('permission', None)
-        if not perm or perm not in [PERMISSION_READ, PERMISSION_READ_WRITE]:
+        if not perm or perm not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -405,7 +407,7 @@ class GroupOwnedLibraryUserFolderPermission(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
         perm = request.data.get('permission', None)
-        if not perm or perm not in [PERMISSION_READ, PERMISSION_READ_WRITE]:
+        if not perm or perm not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -585,7 +587,7 @@ class GroupOwnedLibraryGroupFolderPermission(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
         perm = request.data.get('permission', None)
-        if not perm or perm not in [PERMISSION_READ, PERMISSION_READ_WRITE]:
+        if not perm or perm not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -673,7 +675,7 @@ class GroupOwnedLibraryGroupFolderPermission(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
         perm = request.data.get('permission', None)
-        if not perm or perm not in [PERMISSION_READ, PERMISSION_READ_WRITE]:
+        if not perm or perm not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
diff --git a/seahub/api2/endpoints/repos_batch.py b/seahub/api2/endpoints/repos_batch.py
index 9a9308a22d..ad4a256a10 100644
--- a/seahub/api2/endpoints/repos_batch.py
+++ b/seahub/api2/endpoints/repos_batch.py
@@ -28,7 +28,8 @@ from seahub.share.signals import share_repo_to_user_successful, \
 from seahub.utils import is_org_context, send_perm_audit_msg, \
         normalize_dir_path, get_folder_permission_recursively, \
         normalize_file_path, check_filename_with_rename
-from seahub.utils.repo import get_repo_owner
+from seahub.utils.repo import get_repo_owner, get_available_repo_perms, \
+        parse_repo_perm
 
 from seahub.views import check_folder_permission
 from seahub.settings import MAX_PATH
@@ -147,7 +148,7 @@ class ReposBatchView(APIView):
                 return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
             permission = request.data.get('permission', 'rw')
-            if permission not in [PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN]:
+            if permission not in get_available_repo_perms():
                 error_msg = 'permission invalid.'
                 return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -854,7 +855,7 @@ class ReposBatchCopyItemView(APIView):
                 continue
 
             # src path permission check, user must has `r/rw` permission for src folder.
-            if check_folder_permission(request, src_repo_id, src_parent_dir) is None:
+            if parse_repo_perm(check_folder_permission(request, src_repo_id, src_parent_dir)).can_copy is False:
                 error_dict = {
                     'error_msg': 'Permission denied.'
                 }
diff --git a/seahub/api2/endpoints/share_link_zip_task.py b/seahub/api2/endpoints/share_link_zip_task.py
index 8b570a7d52..9d84123cc0 100644
--- a/seahub/api2/endpoints/share_link_zip_task.py
+++ b/seahub/api2/endpoints/share_link_zip_task.py
@@ -18,6 +18,7 @@ from seahub.views.file import send_file_access_msg
 from seahub.share.models import FileShare
 from seahub.utils import is_windows_operating_system, \
     is_pro_version
+from seahub.utils.repo import parse_repo_perm
 
 import seaserv
 from seaserv import seafile_api
@@ -85,8 +86,8 @@ class ShareLinkZipTaskView(APIView):
             error_msg = 'Folder %s not found.' % real_path
             return api_error(status.HTTP_404_NOT_FOUND, error_msg)
 
-        if not seafile_api.check_permission_by_path(repo_id, '/',
-                fileshare.username):
+        if parse_repo_perm(seafile_api.check_permission_by_path(
+                    repo_id, '/', fileshare.username)).can_download is False:
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
diff --git a/seahub/api2/endpoints/share_links.py b/seahub/api2/endpoints/share_links.py
index 7502d1daa3..ced97550e8 100644
--- a/seahub/api2/endpoints/share_links.py
+++ b/seahub/api2/endpoints/share_links.py
@@ -25,6 +25,7 @@ from seahub.share.models import FileShare, OrgFileShare
 from seahub.utils import gen_shared_link, is_org_context
 from seahub.views import check_folder_permission
 from seahub.utils.timeutils import datetime_to_isoformat_timestr
+from seahub.utils.repo import parse_repo_perm
 
 from seahub.settings import SHARE_LINK_EXPIRE_DAYS_MAX, \
         SHARE_LINK_EXPIRE_DAYS_MIN
@@ -270,9 +271,8 @@ class ShareLinks(APIView):
                 error_msg = 'path %s not found.' % path
 
             return api_error(status.HTTP_404_NOT_FOUND, error_msg)
-
-        # permission check
-        if not check_folder_permission(request, repo_id, path):
+       
+        if parse_repo_perm(check_folder_permission(request, repo_id, path)).can_download is False:
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
diff --git a/seahub/api2/endpoints/shared_repos.py b/seahub/api2/endpoints/shared_repos.py
index bd6917597d..b670ea6884 100644
--- a/seahub/api2/endpoints/shared_repos.py
+++ b/seahub/api2/endpoints/shared_repos.py
@@ -15,9 +15,9 @@ from seahub.api2.authentication import TokenAuthentication
 from seahub.api2.throttling import UserRateThrottle
 from seahub.profile.models import Profile
 from seahub.utils import is_org_context, is_valid_username, send_perm_audit_msg
+from seahub.utils.repo import get_available_repo_perms
 from seahub.base.templatetags.seahub_tags import email2nickname, email2contact_email
 from seahub.share.models import ExtraSharePermission, ExtraGroupsSharePermission
-from seahub.constants import PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN
 from seahub.share.utils import update_user_dir_permission, update_group_dir_permission,\
         check_user_share_out_permission, check_group_share_out_permission
 
@@ -111,7 +111,7 @@ class SharedRepo(APIView):
 
         # argument check
         permission = request.data.get('permission', None)
-        if permission not in [PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN]:
+        if permission not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
diff --git a/seahub/api2/endpoints/zip_task.py b/seahub/api2/endpoints/zip_task.py
index bc3c1d4445..f55f15cc3c 100644
--- a/seahub/api2/endpoints/zip_task.py
+++ b/seahub/api2/endpoints/zip_task.py
@@ -19,6 +19,7 @@ from seahub.api2.utils import api_error
 from seahub.views import check_folder_permission
 from seahub.views.file import send_file_access_msg
 from seahub.utils import is_windows_operating_system
+from seahub.utils.repo import parse_repo_perm
 
 import seaserv
 from seaserv import seafile_api
@@ -68,7 +69,7 @@ class ZipTaskView(APIView):
             return api_error(status.HTTP_404_NOT_FOUND, error_msg)
 
         # permission check
-        if not check_folder_permission(request, repo_id, parent_dir):
+        if parse_repo_perm(check_folder_permission(request, repo_id, parent_dir)).can_download is False:
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
diff --git a/seahub/api2/utils.py b/seahub/api2/utils.py
index c9db6785a8..a0f32c33c2 100644
--- a/seahub/api2/utils.py
+++ b/seahub/api2/utils.py
@@ -13,6 +13,7 @@ from functools import wraps
 
 from django.core.paginator import EmptyPage, InvalidPage
 from django.http import HttpResponse
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.response import Response
 from rest_framework import status, serializers
 from seaserv import seafile_api, get_personal_groups_by_user, \
@@ -435,3 +436,9 @@ def user_to_dict(email, request=None, avatar_size=AVATAR_DEFAULT_SIZE):
         'user_contact_email': d['contact_email'],
         'avatar_url': avatar_url,
     }
+
+def is_web_request(request):
+    if isinstance(request.successful_authenticator, SessionAuthentication):
+        return True
+    else:
+        return False
diff --git a/seahub/api2/views.py b/seahub/api2/views.py
index 393360f8da..de5b1075b9 100644
--- a/seahub/api2/views.py
+++ b/seahub/api2/views.py
@@ -33,9 +33,8 @@ from .throttling import ScopedRateThrottle, AnonRateThrottle, UserRateThrottle
 from .authentication import TokenAuthentication
 from .serializers import AuthTokenSerializer
 from .utils import get_diff_details, to_python_boolean, \
-    api_error, get_file_size, prepare_starred_files, \
+    api_error, get_file_size, prepare_starred_files, is_web_request, \
     get_groups, api_group_check, get_timestamp, json_response, is_seafile_pro
-
 from seahub.wopi.utils import get_wopi_dict
 from seahub.api2.base import APIView
 from seahub.api2.models import TokenV2, DESKTOP_PLATFORMS
@@ -75,9 +74,9 @@ from seahub.utils.devices import do_unlink_device
 from seahub.utils.repo import get_repo_owner, get_library_storages, \
         get_locked_files_by_dir, get_related_users_by_repo, \
         is_valid_repo_id_format, can_set_folder_perm_by_user, \
-        add_encrypted_repo_secret_key_to_database
-from seahub.utils.star import star_file, unstar_file, \
-        get_dir_starred_files
+        add_encrypted_repo_secret_key_to_database, get_available_repo_perms, \
+        parse_repo_perm
+from seahub.utils.star import star_file, unstar_file, get_dir_starred_files
 from seahub.utils.file_types import DOCUMENT
 from seahub.utils.file_size import get_file_size_unit
 from seahub.utils.file_op import check_file_lock
@@ -689,6 +688,7 @@ class Repos(APIView):
             else:
                 shared_repos = seafile_api.get_share_in_repo_list(
                         email, -1, -1)
+
             repos_with_admin_share_to = ExtraSharePermission.objects.\
                     get_repos_with_admin_permission(email)
 
@@ -711,6 +711,10 @@ class Repos(APIView):
                     library_group_id = get_group_id_by_repo_owner(r.user)
                     library_group_name= group_id_to_name(library_group_id)
 
+                if parse_repo_perm(r.permission).can_download is False:
+                    if not is_web_request(request):
+                        continue
+
                 r.password_need = is_passwd_set(r.repo_id, email)
                 repo = {
                     "type": "srepo",
@@ -766,6 +770,10 @@ class Repos(APIView):
                 if q and q.lower() not in r.name.lower():
                     continue
 
+                if parse_repo_perm(r.permission).can_download is False:
+                    if not is_web_request(request):
+                        continue
+
                 repo = {
                     "type": "grepo",
                     "id": r.repo_id,
@@ -2297,7 +2305,7 @@ class OpCopyView(APIView):
             return api_error(status.HTTP_404_NOT_FOUND, error_msg)
 
         # permission check
-        if check_folder_permission(request, repo_id, parent_dir) is None:
+        if parse_repo_perm(check_folder_permission(request, repo_id, parent_dir)).can_copy is False:
             return api_error(status.HTTP_403_FORBIDDEN,
                     'You do not have permission to copy file of this folder.')
 
@@ -2737,7 +2745,8 @@ class FileView(APIView):
                 return api_error(status.HTTP_400_BAD_REQUEST, 'Missing arguments.')
 
             # check src folder permission
-            if check_folder_permission(request, repo_id, src_dir) is None:
+
+            if parse_repo_perm(check_folder_permission(request, repo_id, src_dir)).can_copy is False:
                 return api_error(status.HTTP_403_FORBIDDEN,
                                  'You do not have permission to copy file.')
 
@@ -3075,7 +3084,10 @@ class FileHistory(APIView):
             error_msg = 'File %s not found.' % path
             return api_error(status.HTTP_404_NOT_FOUND, error_msg)
 
-        if check_folder_permission(request, repo_id, path) != 'rw':
+
+        permission = check_folder_permission(request, repo_id, path)
+        if permission not in get_available_repo_perms():
+
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
@@ -3125,8 +3137,7 @@ class FileSharedLinkView(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, 'Password is too short')
 
         if share_type.lower() == 'download':
-
-            if check_folder_permission(request, repo_id, path) is None:
+            if parse_repo_perm(check_folder_permission(request, repo_id, path)).can_download is False:
                 return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied')
 
             if not request.user.permissions.can_generate_share_link():
@@ -3251,7 +3262,9 @@ class DirView(APIView):
 
         # permission check
         permission = check_folder_permission(request, repo_id, path)
-        if not permission:
+        if parse_repo_perm(permission).can_download is False and \
+           not is_web_request(request):
+            # preview only repo and this request does not came from web brower
             error_msg = 'Permission denied.'
             return api_error(status.HTTP_403_FORBIDDEN, error_msg)
 
@@ -3983,7 +3996,7 @@ class SharedRepo(APIView):
         share_type = request.GET.get('share_type')
         permission = request.GET.get('permission')
 
-        if permission not in ('r', 'rw'):
+        if permission not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -4440,7 +4453,7 @@ class GroupRepos(APIView):
                              'NOT allow to create encrypted library.')
 
         permission = request.data.get("permission", 'r')
-        if permission != 'r' and permission != 'rw':
+        if permission not in get_available_repo_perms():
             return api_error(status.HTTP_400_BAD_REQUEST, 'Invalid permission')
 
         org_id = -1
@@ -4812,14 +4825,27 @@ class RepoTokensView(APIView):
         if any([not _REPO_ID_PATTERN.match(repo_id) for repo_id in repos_id]):
             return api_error(status.HTTP_400_BAD_REQUEST, "Libraries ids are invalid")
 
+        username = request.user.username
         tokens = {}
         for repo_id in repos_id:
             repo = seafile_api.get_repo(repo_id)
             if not repo:
                 continue
 
-            if not check_folder_permission(request, repo.id, '/'):
-                continue
+            perm = check_folder_permission(request, repo.id, '/')
+            if not perm:
+                res = {
+                    'reason': 'no permission',
+                    'unsyncable_path': '/'
+                }
+                return Response(res, status=status.HTTP_403_FORBIDDEN)
+
+            if not seafile_api.is_repo_syncable(repo_id, username, perm):
+                res = {
+                    'reason': 'unsyncable share permission',
+                    'unsyncable_path': '/'
+                }
+                return Response(res, status=status.HTTP_403_FORBIDDEN)
 
             tokens[repo_id] = seafile_api.generate_repo_token(repo_id, request.user.username)
 
@@ -5140,7 +5166,7 @@ class RepoUserFolderPerm(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
         perm = request.data.get('permission', None)
-        if not perm or perm not in ('r', 'rw'):
+        if not perm or perm not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -5228,7 +5254,7 @@ class RepoUserFolderPerm(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
         perm = request.data.get('permission', None)
-        if not perm or perm not in ('r', 'rw'):
+        if not perm or perm not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -5415,7 +5441,7 @@ class RepoGroupFolderPerm(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
         perm = request.data.get('permission', None)
-        if not perm or perm not in ('r', 'rw'):
+        if not perm or perm not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
@@ -5502,7 +5528,7 @@ class RepoGroupFolderPerm(APIView):
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
         perm = request.data.get('permission', None)
-        if not perm or perm not in ('r', 'rw'):
+        if not perm or perm not in get_available_repo_perms():
             error_msg = 'permission invalid.'
             return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
diff --git a/seahub/constants.py b/seahub/constants.py
index e71348fbf3..5cf5b78baa 100644
--- a/seahub/constants.py
+++ b/seahub/constants.py
@@ -6,7 +6,9 @@ DEFAULT_USER = 'default'
 # Guest user have limited operations, can not create group and library.
 GUEST_USER = 'guest'
 
-# Permissions
+# Repo/folder permissions
+PERMISSION_PREVIEW = 'preview'  # preview only on the web, can not be downloaded
+PERMISSION_PREVIEW_EDIT = 'cloud-edit'  # preview only with edit on the web
 PERMISSION_READ = 'r'
 PERMISSION_READ_WRITE = 'rw'
 PERMISSION_ADMIN = 'admin'
diff --git a/seahub/group/views.py b/seahub/group/views.py
index c2bf4f465e..5ac325ec91 100644
--- a/seahub/group/views.py
+++ b/seahub/group/views.py
@@ -16,6 +16,7 @@ from django.utils.http import urlquote
 from django.utils.translation import ugettext as _
 
 from seahub.auth.decorators import login_required, login_required_ajax
+from seahub.constants import PERMISSION_PREVIEW
 import seaserv
 from seaserv import ccnet_threaded_rpc, seafile_api, \
     get_group_repos, get_group, \
@@ -323,8 +324,8 @@ def group_wiki(request, group, page_name="home"):
         if is_registered_user(username):
             repo_perm = seafile_api.check_permission_by_path(repo.id, '/', username)
         else:
-            # when anonymous user visit public group wiki, set permission as 'r'
-            repo_perm = 'r'
+            # when anonymous user visit public group wiki, set permission as preview only
+            repo_perm = PERMISSION_PREVIEW
 
         wiki_index_exists = True
         index_pagename = 'index'
@@ -370,8 +371,8 @@ def group_wiki_pages(request, group):
     if is_registered_user(username):
         repo_perm = seafile_api.check_permission_by_path(repo.id, '/', username)
     else:
-        # when anonymous user visit public group wiki, set permission as 'r'
-        repo_perm = 'r'
+        # when anonymous user visit public group wiki, set permission as preview only
+        repo_perm = PERMISSION_PREVIEW
 
     mods_available = get_available_mods_by_group(group.id)
     mods_enabled = get_enabled_mods_by_group(group.id)
diff --git a/seahub/templates/file_revisions.html b/seahub/templates/file_revisions.html
index c4122dafbb..3992b94228 100644
--- a/seahub/templates/file_revisions.html
+++ b/seahub/templates/file_revisions.html
@@ -85,7 +85,9 @@
         <a href="#" class="op vh restore-file" data-commit_id="<%- commit_id %>" data-commit_path="<%- path %>">{% trans 'Restore' %}</a>
         <% } %>
         {% endif %}
+        {% if can_download_file %}
         <a href="<%- download_file_url %>" class="op vh">{% trans 'Download' %}</a>
+        {% endif %}
         <a href="<%- view_history_file_url %>" class="op vh" target="_blank">{% trans 'View' %}</a>
         {% if can_compare %}
         <a href="<%- diff_url %>" class="op vh text-diff">{% trans 'Diff' %}</a>
diff --git a/seahub/templates/js/templates.html b/seahub/templates/js/templates.html
index 6e7d92c1d8..1d94de7e82 100644
--- a/seahub/templates/js/templates.html
+++ b/seahub/templates/js/templates.html
@@ -488,7 +488,7 @@
     </div>
     <% } %>
 
-    <% if (!encrypted && (app.pageOptions.can_generate_share_link || app.pageOptions.can_generate_upload_link || is_repo_owner || is_admin)) { %>
+    <% if (can_share) { %>
     <button class="btn-white hidden-sm-down" id="share-cur-dir">{% trans "Share" %}</button>
     <span class="sf2-icon-share hidden-md-up mobile-icon" id="share-cur-dir" aria-label="{% trans "Share" %}"></span>
     <% } %>
@@ -586,10 +586,11 @@
     <td class="dirent-op">
         <div class="op-container">
             <div class="displayed-op">
-
+                <% if (dirent.perm == 'rw' || dirent.perm == 'r') { %>
                 <a class="op-icon download sf2-icon-download sf2-x vh download-dir" href="#" title="{% trans "Download" %}" aria-label="{% trans "Download" %}"></a>
+                <% } %>
 
-                <% if (!repo_encrypted && (can_generate_share_link || can_generate_upload_link || is_repo_owner || is_admin)) { %>
+                <% if (can_share_dir) { %>
                     <a href="#" class="op-icon share sf2-icon-share sf2-x vh" title="{% trans "Share" %}" aria-label="{% trans "Share" %}"></a>
                 <% } %>
                 <% if (dirent.perm == 'rw') { %>
@@ -665,8 +666,10 @@
                 <div class="mobile-menu-mask"></div>
                 <div class="mobile-menu-content">
                     <ul>
+                        <% if (dirent.perm == 'rw' || dirent.perm == 'r') { %>
                         <li><a class="op download download-dir" href="#">{% trans "Download" %}</a></li>
-                        <% if (!repo_encrypted && (can_generate_share_link || can_generate_upload_link || is_repo_owner || is_admin)) { %>
+                        <% } %>
+                        <% if (can_share_dir) { %>
                         <li><a href="#" class="op share">{% trans "Share" %}</a></li>
                         <% } %>
                         <% if (dirent.perm == 'rw') { %>
@@ -742,8 +745,11 @@
     <td class="dirent-op">
         <div class="op-container">
             <div class="displayed-op">
+                <% if (dirent.perm == 'rw' || dirent.perm == 'r') { %>
                 <a class="op-icon download sf2-icon-download sf2-x vh" href="<%= download_url %>" title="{% trans "Download" %}" aria-label="{% trans "Download" %}"></a>
-                <% if (!repo_encrypted && can_generate_share_link) { %>
+                <% } %>
+
+                <% if (can_share_file) { %>
                 <a href="#" class="op-icon share sf2-icon-share sf2-x vh" title="{% trans "Share" %}" aria-label="{% trans "Share" %}"></a>
                 <% } %>
                 <% if (dirent.perm == 'rw') { %>
@@ -804,6 +810,17 @@
                     <li><a class="op view-details" href="#">{% trans "Details" %}</a></li>
                 </ul>
             </div>
+            <% } else if (dirent.perm == 'cloud-edit' || dirent.perm == 'preview') { %>
+            <div class="sf-dropdown sf-dropdown-inline">
+                <a class="more-op-icon sf2-icon-caret-down op-icon vh sf-dropdown-toggle" title="{% trans "More Operations" %}" aria-label="{% trans "More Operations" %}"></a>
+                <ul class="hidden-op dirent-hidden-op hide sf-dropdown-menu">
+                    <% if (app.pageOptions.enable_file_comment) { %>
+                    <li><a class="op file-comment" href="#">{% trans "Comment" %}</a><li>
+                    <% } %>
+                    <li><a class="op file-history" href="{{ SITE_ROOT }}repo/file_revisions/<%= repo_id %>/?p=<% print(encodeURIComponent(dirent_path)); %>&referer=<% print(encodeURIComponent(location.href)); %>">{% trans "History" %}</a></li>
+                    <li><a class="op view-details" href="#">{% trans "Details" %}</a></li>
+                </ul>
+            </div>
             <% } %>
         </div>
     </td>
@@ -876,8 +893,10 @@
                 <div class="mobile-menu-mask"></div>
                 <div class="mobile-menu-content">
                 <ul>
+                <% if (dirent.perm == 'rw' || dirent.perm == 'r') { %>
                 <li><a class="op download download-close-menu" href="<%= download_url %>">{% trans "Download" %}</a></li>
-                <% if (!repo_encrypted && can_generate_share_link) { %>
+                <% } %>
+                <% if (can_share_file) { %>
                 <li><a class="op share" href="#">{% trans "Share" %}</a></li>
                 <% } %>
                 <% if (dirent.perm == 'rw') { %>
@@ -918,7 +937,7 @@
                         <% } %>
                     <% } %>
                     <li><a class="op view-details" href="#">{% trans "Details" %}</a></li>
-                <% } else if (dirent.perm == 'r') { %>
+                <% } else if (dirent.perm == 'r' || dirent.perm == 'cloud-edit' || dirent.perm == 'preview') { %>
                     <% if (app.pageOptions.enable_file_comment) { %>
                     <li><a class="op file-comment" href="#">{% trans "Comment" %}</a><li>
                     <% } %>
@@ -963,8 +982,11 @@
 <script type="text/template" id="grid-view-file-op-tmpl">
     <div class="grid-item-op sf-dropdown-menu">
         <ul>
+            <% if (dirent.perm == 'rw' || dirent.perm == 'r') { %>
             <li><a class="op download" href="<%= download_url %>">{% trans "Download" %}</a></li>
-            <% if (!repo_encrypted && can_generate_share_link) { %>
+            <% } %>
+
+            <% if (can_share_file) { %>
             <li><a class="op share" href="#">{% trans "Share" %}</a></li>
             <% } %>
             <% if (dirent.perm == 'rw') { %>
@@ -1002,7 +1024,7 @@
                 <% } %>
             <li><a class="op view-details" href="#">{% trans "Details" %}</a></li>
 
-            <% } else if (dirent.perm == 'r') { %>
+            <% } else if (dirent.perm == 'r' || dirent.perm == 'cloud-edit' || dirent.perm == 'preview') { %>
                 <% if (app.pageOptions.enable_file_comment) { %>
                 <li><a class="op file-comment" href="#">{% trans "Comment" %}</a><li>
                 <% } %>
@@ -1023,9 +1045,11 @@
 <script type="text/template" id="grid-view-dir-op-tmpl">
     <div class="grid-item-op sf-dropdown-menu">
         <ul>
+            <% if (dirent.perm == 'rw' || dirent.perm == 'r') { %>
             <li><a class="op download-dir" href="#">{% trans "Download" %}</a></li>
+            <% } %>
 
-            <% if (!repo_encrypted && (can_generate_share_link || can_generate_upload_link || is_repo_owner || is_admin)) { %>
+            <% if (can_share_dir) { %>
             <li><a class="op share" href="#">{% trans "Share" %}</a></li>
             <% } %>
 
@@ -1372,6 +1396,10 @@
                                 <% if (show_admin_perm_option) { %>
                                 <option value="admin">{% trans "Admin" %}</option>
                                 <% } %>
+                                {% if is_pro %}
+                                <option value="cloud-edit">{% trans "Preview-Edit-on-Cloud" %}</option>
+                                <option value="preview">{% trans "Preview-on-Cloud" %}</option>
+                                {% endif %}
                             </select>
                         </td>
                         <td><input type="submit" value="{% trans "Submit" %}" class="submit" /></td>
@@ -1408,6 +1436,10 @@
                                 <% if (show_admin_perm_option) { %>
                                 <option value="admin">{% trans "Admin" %}</option>
                                 <% } %>
+                                {% if is_pro %}
+                                <option value="cloud-edit">{% trans "Preview-Edit-on-Cloud" %}</option>
+                                <option value="preview">{% trans "Preview-on-Cloud" %}</option>
+                                {% endif %}
                             </select>
                         </td>
                         <td><input type="submit" value="{% trans "Submit" %}" class="submit" /></td>
@@ -1695,8 +1727,12 @@
                 <% } else { %>
                     <% if (permission == 'rw') { %>
                         {% trans "Read-Write" %}
-                    <% } else { %>
+                    <% } else if (permission == 'r') { %>
                         {% trans "Read-Only" %}
+                    <% } else if (permission == 'cloud-edit') { %>
+                        {% trans "Preview-Edit-on-Cloud" %}
+                    <% } else { %>
+                        {% trans "Preview-on-Cloud" %}
                     <% } %>
                 <% } %>
             </span>
@@ -1708,25 +1744,22 @@
                     <option value="rw">{% trans "Read-Write" %}</option>
                     <option value="r">{% trans "Read-Only" %}</option>
                     <option value="admin" selected="selected">{% trans "Admin" %}</option>
+                    <option value="cloud-edit">{% trans "Preview-Edit-on-Cloud" %}</option>
+                    <option value="preview">{% trans "Preview-on-Cloud" %}</option>
                 <% } else { %>
-                    <% if (permission == 'rw') { %>
-                        <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
-                        <option value="r">{% trans "Read-Only" %}</option>
-                        <option value="admin">{% trans "Admin" %}</option>
-                    <% } else { %>
-                        <option value="rw">{% trans "Read-Write" %}</option>
-                        <option value="r" selected="selected">{% trans "Read-Only" %}</option>
-                        <option value="admin">{% trans "Admin" %}</option>
-                    <% } %>
+                    <option value="rw" <% if (permission == 'rw') { %>selected="selected"<% } %>>{% trans "Read-Write" %}</option>
+                    <option value="r" <% if (permission == 'r') { %>selected="selected"<% } %>>{% trans "Read-Only" %}</option>
+                    <option value="admin">{% trans "Admin" %}</option>
+                    <option value="cloud-edit" <% if (permission == 'cloud-edit') { %>selected="selected"<% } %>>{% trans "Preview-Edit-on-Cloud" %}</option>
+                    <option value="preview" <% if (permission == 'preview') { %>selected="selected"<% } %>>{% trans "Preview-on-Cloud" %}</option>
                 <% } %>
             <% } else { %>
-                <% if (permission == 'rw') { %>
-                    <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
-                    <option value="r">{% trans "Read-Only" %}</option>
-                <% } else { %>
-                    <option value="rw">{% trans "Read-Write" %}</option>
-                    <option value="r" selected="selected">{% trans "Read-Only" %}</option>
-                <% } %>
+                <option value="rw" <% if (permission == 'rw') { %>selected="selected"<% } %>>{% trans "Read-Write" %}</option>
+                <option value="r" <% if (permission == 'r') { %>selected="selected"<% } %>>{% trans "Read-Only" %}</option>
+                {% if is_pro %}
+                <option value="cloud-edit" <% if (permission == 'cloud-edit') { %>selected="selected"<% } %>>{% trans "Preview-Edit-on-Cloud" %}</option>
+                <option value="preview" <% if (permission == 'preview') { %>selected="selected"<% } %>>{% trans "Preview-on-Cloud" %}</option>
+                {% endif %}
             <% } %>
         </select>
     </td>
@@ -1760,6 +1793,10 @@
                             <select name="permission" class="folder-perm-select w100">
                                 <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
                                 <option value="r">{% trans "Read-Only" %}</option>
+                                {% if is_pro %}
+                                <option value="cloud-edit">{% trans "Preview-Edit-on-Cloud" %}</option>
+                                <option value="preview">{% trans "Preview-on-Cloud" %}</option>
+                                {% endif %}
                             </select>
                         </td>
                         <td><input type="submit" value="{% trans "Submit" %}" class="submit" /></td>
@@ -1786,6 +1823,10 @@
                             <select name="permission" class="folder-perm-select w100">
                                 <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
                                 <option value="r">{% trans "Read-Only" %}</option>
+                                {% if is_pro %}
+                                <option value="cloud-edit">{% trans "Preview-Edit-on-Cloud" %}</option>
+                                <option value="preview">{% trans "Preview-on-Cloud" %}</option>
+                                {% endif %}
                             </select>
                         </td>
                         <td><input type="submit" value="{% trans "Submit" %}" class="submit" /></td>
@@ -2336,6 +2377,10 @@
                                 <select name="permission" class="folder-perm-select w100">
                                     <option value="rw" selected="selected">{% trans "Read-Write"%}</option>
                                     <option value="r">{% trans "Read-Only"%}</option>
+                                    {% if is_pro %}
+                                    <option value="cloud-edit">{% trans "Preview-Edit-on-Cloud" %}</option>
+                                    <option value="preview">{% trans "Preview-on-Cloud" %}</option>
+                                    {% endif %}
                                 </select>
                             </td>
                             <td>
@@ -2382,6 +2427,10 @@
                                 <select name="permission" class="folder-perm-select w100">
                                     <option value="rw" selected="selected">{% trans "Read-Write"%}</option>
                                     <option value="r">{% trans "Read-Only"%}</option>
+                                    {% if is_pro %}
+                                    <option value="cloud-edit">{% trans "Preview-Edit-on-Cloud" %}</option>
+                                    <option value="preview">{% trans "Preview-on-Cloud" %}</option>
+                                    {% endif %}
                                 </select>
                             </td>
                             <td>
@@ -2531,42 +2580,31 @@
                     <option value="rw">{% trans "Read-Write" %}</option>
                     <option value="r">{% trans "Read-Only" %}</option>
                     <option value="admin" selected="selected">{% trans "Admin" %}</option>
+                    <option value="cloud-edit">{% trans "Preview-Edit-on-Cloud" %}</option>
+                    <option value="preview">{% trans "Preview-on-Cloud" %}</option>
                 </select>
             <% } else { %>
-                <% if (share_permission == 'rw') { %>
-                    <span class="cur-perm">{% trans "Read-Write" %}</span>
-                    <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
-                    <select class="perm-select select-white hide">
-                        <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
-                        <option value="r">{% trans "Read-Only" %}</option>
-                        <option value="admin">{% trans "Admin" %}</option>
-                    </select>
-                <% } else { %>
-                    <span class="cur-perm">{% trans "Read-Only" %}</span>
-                    <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
-                    <select class="perm-select select-white hide">
-                        <option value="rw">{% trans "Read-Write" %}</option>
-                        <option value="r" selected="selected">{% trans "Read-Only" %}</option>
-                        <option value="admin">{% trans "Admin" %}</option>
-                    </select>
-                <% } %>
+                <span class="cur-perm"><%= cur_perm_text %></span>
+                <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
+                <select class="perm-select select-white hide">
+                    <option value="rw" <% if (share_permission == 'rw') { %>selected="selected"<% } %>>{% trans "Read-Write" %}</option>
+                    <option value="r" <% if (share_permission == 'r') { %>selected="selected"<% } %>>{% trans "Read-Only" %}</option>
+                    <option value="admin">{% trans "Admin" %}</option>
+                    <option value="cloud-edit" <% if (share_permission == 'cloud-edit') { %>selected="selected"<% } %>>{% trans "Preview-Edit-on-Cloud" %}</option>
+                    <option value="preview" <% if (share_permission == 'preview') { %>selected="selected"<% } %>>{% trans "Preview-on-Cloud" %}</option>
+                </select>
             <% } %>
         <% } else { %>
-            <% if (share_permission == 'rw') { %>
-                <span class="cur-perm">{% trans "Read-Write" %}</span>
-                <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
-                <select class="perm-select select-white hide">
-                    <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
-                    <option value="r">{% trans "Read-Only" %}</option>
-                </select>
-            <% } else { %>
-                <span class="cur-perm">{% trans "Read-Only" %}</span>
-                <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
-                <select class="perm-select select-white hide">
-                    <option value="rw">{% trans "Read-Write" %}</option>
-                    <option value="r" selected="selected">{% trans "Read-Only" %}</option>
-                </select>
-            <% } %>
+            <span class="cur-perm"><%= cur_perm_text %></span>
+            <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
+            <select class="perm-select select-white hide">
+                <option value="rw" <% if (share_permission == 'rw') { %>selected="selected"<% } %>>{% trans "Read-Write" %}</option>
+                <option value="r" <% if (share_permission == 'r') { %>selected="selected"<% } %>>{% trans "Read-Only" %}</option>
+                {% if is_pro %}
+                <option value="cloud-edit" <% if (share_permission == 'cloud-edit') { %>selected="selected"<% } %>>{% trans "Preview-Edit-on-Cloud" %}</option>
+                <option value="preview" <% if (share_permission == 'preview') { %>selected="selected"<% } %>>{% trans "Preview-on-Cloud" %}</option>
+                {% endif %}
+            </select>
         <% } %>
     </td>
     <td>
@@ -2585,21 +2623,16 @@
     <td>{% trans "all members"%}</td>
     <% } %>
     <td>
-        <% if (share_permission == 'rw') { %>
-            <span class="cur-perm">{% trans "Read-Write" %}</span>
-            <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
-            <select class="perm-select select-white hide">
-                <option value="rw" selected="selected">{% trans "Read-Write" %}</option>
-                <option value="r">{% trans "Read-Only" %}</option>
-            </select>
-        <% } else { %>
-            <span class="cur-perm">{% trans "Read-Only" %}</span>
-            <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
-            <select class="perm-select select-white hide">
-                <option value="rw">{% trans "Read-Write" %}</option>
-                <option value="r" selected="selected">{% trans "Read-Only" %}</option>
-            </select>
-        <% } %>
+        <span class="cur-perm"><%= cur_perm_text %></span>
+        <a href="#" title="{% trans "Edit" %}" class="perm-edit-icon sf2-icon-edit op-icon vh"></a>
+        <select class="perm-select select-white hide">
+            <option value="rw" <% if (share_permission == 'rw') { %>selected="selected"<% } %>>{% trans "Read-Write" %}</option>
+            <option value="r" <% if (share_permission == 'r') { %>selected="selected"<% } %>>{% trans "Read-Only" %}</option>
+            {% if is_pro %}
+            <option value="cloud-edit" <% if (share_permission == 'cloud-edit') { %>selected="selected"<% } %>>{% trans "Preview-Edit-on-Cloud" %}</option>
+            <option value="preview" <% if (share_permission == 'preview') { %>selected="selected"<% } %>>{% trans "Preview-on-Cloud" %}</option>
+            {% endif %}
+        </select>
     </td>
     <td>
         <a href="#" class="unshare op-icon sf2-icon-delete vh" title="{% trans "Unshare" %}"></a>
diff --git a/seahub/templates/view_file_base.html b/seahub/templates/view_file_base.html
index 4fb0b1018c..76f3739875 100644
--- a/seahub/templates/view_file_base.html
+++ b/seahub/templates/view_file_base.html
@@ -162,11 +162,12 @@
     {% endblock %}
     {% endif %}
 
-    {% if enable_file_comment %}
+    {% if can_download_file %}
     <a class="sf-btn-group-btn sf-btn-link op-icon sf2-icon-download" href="?dl=1" id="download" title="{% trans "Download"%}"></a>
-    <button id="discuss" class="sf-btn-group-btn sf-btn-group-btn-last op-icon sf2-icon-msgs" title="{% trans "Comment" %}"></button>
-    {% else %}
-    <a class="sf-btn-group-btn sf-btn-group-btn-last sf-btn-link op-icon sf2-icon-download" href="?dl=1" id="download" title="{% trans "Download"%}"></a>
+    {% endif %}
+
+    {% if enable_file_comment %}
+    <button id="discuss" class="sf-btn-group-btn op-icon sf2-icon-msgs" title="{% trans "Comment" %}"></button>
     {% endif %}
 
 </script>
@@ -203,9 +204,11 @@
             </li>
             {% endif %}
 
+            {% if can_download_file %}
             <li>
                 <a id="download" class="op download" href="?dl=1" title="{% trans "Download"%}">{% trans "Download"%}</a>
             </li>
+            {% endif %}
         </ul>
         <div>
 </script>
@@ -568,6 +571,7 @@ var DropDownMenu = {
         var _this = this;
         var template = $(window).width() > 992 ? this.$deviceTmp : this.$mobileTmp;
         this.$el.html(template);
+        $('.sf-btn-group-btn:last', this.$el).addClass('sf-btn-group-btn-last');
 
         //bind click event for the menu item;
         {% if can_lock_unlock_file %}
diff --git a/seahub/templates/view_file_text.html b/seahub/templates/view_file_text.html
index 2a199a84a6..7338518c2c 100644
--- a/seahub/templates/view_file_text.html
+++ b/seahub/templates/view_file_text.html
@@ -18,7 +18,7 @@
 {% endblock %}
 
 {% block edit_file %}
-{% if file_perm == 'rw' and not err%}
+{% if not err %}
 <a class="sf-btn-group-btn sf-btn-link op-icon sf2-icon-edit" href="{{ SITE_ROOT }}repo/{{ repo.id }}/file/edit/?p={{ path|urlencode }}&file_enc={{file_enc}}" id="edit" title="{% trans "Edit" %}"></a>
 {% endif %}
 {% endblock %}
diff --git a/seahub/templates/view_history_file.html b/seahub/templates/view_history_file.html
index 7691970cc0..7ee184163e 100644
--- a/seahub/templates/view_history_file.html
+++ b/seahub/templates/view_history_file.html
@@ -20,7 +20,9 @@
             {% endblock %}
         </div>
 
+        {% if can_download_file %}
         <a class="file-view-op sf-btn-link fright" href="{% url 'download_file' repo.id obj_id%}?file_name={{ file_name|urlencode }}&p={{path|urlencode}}" id="download">{% trans "Download"%}</a>
+        {% endif %}
     </div>
 
     {% include 'snippets/file_content_html.html' %}
@@ -29,10 +31,12 @@
 {% block extra_script %}
 {% include "snippets/file_view_js.html" %}
 <script type="text/javascript">
+{% if can_download_file %}
 $(function() {
     var dld_url = $('#download').attr('href');
     $('#file-view-tip').append('<a href="' + dld_url + '" class="sf-btn-link big-btn-link">' + "{% trans "Download" %}" + '</a>');
 });
+{% endif %}
 
 {% if filetype == 'Image' and not err %}
     $('#image-view').attr('src', '{{ raw_path|escapejs }}');
diff --git a/seahub/utils/repo.py b/seahub/utils/repo.py
index 8d230f5055..6dce13d537 100644
--- a/seahub/utils/repo.py
+++ b/seahub/utils/repo.py
@@ -1,10 +1,15 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
 # -*- coding: utf-8 -*-
 import logging
+from collections import namedtuple
 
 import seaserv
 from seaserv import seafile_api, ccnet_api
 
+from seahub.constants import (
+    PERMISSION_PREVIEW, PERMISSION_PREVIEW_EDIT,
+    PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN
+)
 from seahub.utils import EMPTY_SHA1, is_org_context, is_pro_version
 from seahub.base.models import RepoSecretKey
 from seahub.base.templatetags.seahub_tags import email2nickname
@@ -14,6 +19,38 @@ from seahub.settings import ENABLE_STORAGE_CLASSES, \
 
 logger = logging.getLogger(__name__)
 
+def get_available_repo_perms():
+    perms = [PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN]
+    if is_pro_version():
+        perms += [PERMISSION_PREVIEW, PERMISSION_PREVIEW_EDIT]
+
+    return perms
+
+
+def parse_repo_perm(perm):
+    RP = namedtuple('RepoPerm', [
+        'can_download', 'can_upload',  # download/uplaod files/folders
+        'can_edit_on_web',             # edit files on web
+        'can_copy',                    # copy files/folders on web
+        'can_preview',                 # preview files on web
+    ])
+
+    RP.can_download = True if perm in [
+        PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN] else False
+    RP.can_upload = True if perm in [
+        PERMISSION_READ_WRITE, PERMISSION_ADMIN] else False
+    RP.can_edit_on_web = True if perm in [
+        PERMISSION_READ_WRITE, PERMISSION_ADMIN, PERMISSION_PREVIEW_EDIT
+    ] else False
+    RP.can_copy = True if perm in [
+        PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN,
+    ] else False
+    RP.can_preview = True if perm in [
+        PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN,
+        PERMISSION_PREVIEW, PERMISSION_PREVIEW_EDIT
+    ] else False
+    return RP
+
 def list_dir_by_path(cmmt, path):
     if cmmt.root_id == EMPTY_SHA1:
         return []
diff --git a/seahub/views/__init__.py b/seahub/views/__init__.py
index e95c0337f2..96fc8bf121 100644
--- a/seahub/views/__init__.py
+++ b/seahub/views/__init__.py
@@ -45,7 +45,7 @@ from seahub.utils import render_permission_error, render_error, \
     is_pro_version, FILE_AUDIT_ENABLED, is_valid_dirent_name, \
     is_windows_operating_system
 from seahub.utils.star import get_dir_starred_files
-from seahub.utils.repo import get_library_storages
+from seahub.utils.repo import get_library_storages, parse_repo_perm
 from seahub.utils.file_op import check_file_lock
 from seahub.utils.timeutils import utc_to_local
 from seahub.utils.auth import get_login_bg_image_path
@@ -825,8 +825,8 @@ def file_revisions(request, repo_id):
         logger.error(e)
         is_locked, locked_by_me = False, False
 
-    if seafile_api.check_permission_by_path(repo_id, path, username) != 'rw' or \
-        (is_locked and not locked_by_me):
+    repo_perm = seafile_api.check_permission_by_path(repo_id, path, username)
+    if repo_perm != 'rw' or (is_locked and not locked_by_me):
         can_revert_file = False
 
     # for 'go back'
@@ -862,6 +862,7 @@ def file_revisions(request, repo_id):
         'is_owner': is_owner,
         'can_compare': can_compare,
         'can_revert_file': can_revert_file,
+        'can_download_file': parse_repo_perm(repo_perm).can_download,
         'referer': referer,
         })
 
@@ -947,7 +948,8 @@ def repo_download_dir(request, repo_id):
     else:
         dirname = repo.name
 
-    allow_download = True if check_folder_permission(request, repo_id, '/') else False
+    allow_download = parse_repo_perm(check_folder_permission(
+        request, repo_id, '/')).can_download
 
     if allow_download:
 
diff --git a/seahub/views/ajax.py b/seahub/views/ajax.py
index 51cc563779..561c2f20a2 100644
--- a/seahub/views/ajax.py
+++ b/seahub/views/ajax.py
@@ -48,7 +48,7 @@ from seahub.utils.star import get_dir_starred_files
 from seahub.utils.file_types import IMAGE, VIDEO, XMIND
 from seahub.utils.file_op import check_file_lock, ONLINE_OFFICE_LOCK_OWNER
 from seahub.utils.repo import get_locked_files_by_dir, get_repo_owner, \
-        repo_has_been_shared_out
+        repo_has_been_shared_out, parse_repo_perm
 from seahub.utils.error_msg import file_type_error_msg, file_size_error_msg
 from seahub.base.accounts import User
 from seahub.thumbnail.utils import get_thumbnail_src
@@ -829,7 +829,8 @@ def cp_dirents(request, src_repo_id, src_path, dst_repo_id, dst_path, obj_file_n
     content_type = 'application/json; charset=utf-8'
     username = request.user.username
 
-    if check_folder_permission(request, src_repo_id, src_path) is None:
+    if parse_repo_perm(check_folder_permission(
+            request, src_repo_id, src_path)).can_copy is False:
         error_msg = _(u'You do not have permission to copy files/folders in this directory')
         result['error'] = error_msg
         return HttpResponse(json.dumps(result), status=403, content_type=content_type)
diff --git a/seahub/views/file.py b/seahub/views/file.py
index 5e936bdf80..fb4c86c0d2 100644
--- a/seahub/views/file.py
+++ b/seahub/views/file.py
@@ -67,7 +67,7 @@ from seahub.utils.file_op import check_file_lock, \
         ONLINE_OFFICE_LOCK_OWNER, if_locked_by_online_office
 from seahub.views import check_folder_permission, \
         get_unencry_rw_repos_by_user
-from seahub.utils.repo import is_repo_owner
+from seahub.utils.repo import is_repo_owner, parse_repo_perm
 from seahub.group.utils import is_group_member
 from seahub.thumbnail.utils import extract_xmind_image, get_thumbnail_src, \
         XMIND_IMAGE_SIZE, THUMBNAIL_ROOT
@@ -487,6 +487,9 @@ def view_lib_file(request, repo_id, path):
     dl = request.GET.get('dl', '0') == '1'
     raw = request.GET.get('raw', '0') == '1'
     if dl or raw:
+        if parse_repo_perm(permission).can_download is False:
+            raise Http404
+
         operation = 'download' if dl else 'view'
         token = seafile_api.get_fileserver_access_token(
             repo_id, file_id, operation, username,
@@ -514,6 +517,7 @@ def view_lib_file(request, repo_id, path):
         'highlight_keyword': settings.HIGHLIGHT_KEYWORD,
         'enable_file_comment': settings.ENABLE_FILE_COMMENT,
         'enable_watermark': ENABLE_WATERMARK,
+        'can_download_file': parse_repo_perm(permission).can_download,
     }
 
     # check whether file is starred
@@ -548,6 +552,12 @@ def view_lib_file(request, repo_id, path):
     return_dict['fileshare'] = fileshare,
     return_dict['file_shared_link'] = file_shared_link
 
+    if parse_repo_perm(permission).can_download and \
+       request.user.permissions.can_generate_share_link():
+        return_dict['can_share_file'] = True
+    else:
+        return_dict['can_share_file'] = False
+
     # fetch file contributors and latest contributor
     try:
         # get real path for sub repo
@@ -626,7 +636,7 @@ def view_lib_file(request, repo_id, path):
             return_dict['file_content'] = file_content
 
         can_edit_file = True
-        if permission == 'r':
+        if parse_repo_perm(permission).can_edit_on_web is False:
             can_edit_file = False
         elif is_locked and not locked_by_me:
             can_edit_file = False
@@ -707,7 +717,7 @@ def view_lib_file(request, repo_id, path):
                 action_name = 'view'
 
             # then check if can edit file
-            if ENABLE_OFFICE_WEB_APP_EDIT and permission == 'rw' and \
+            if ENABLE_OFFICE_WEB_APP_EDIT and parse_repo_perm(permission).can_edit_on_web and \
                     fileext in OFFICE_WEB_APP_EDIT_FILE_EXTENSION and \
                     ((not is_locked) or (is_locked and locked_by_me) or \
                     (is_locked and locked_by_online_office)):
@@ -868,6 +878,7 @@ def view_history_file_common(request, repo_id, ret_dict):
     ret_dict['fileext'] = fileext
     ret_dict['raw_path'] = raw_path
     ret_dict['enable_watermark'] = ENABLE_WATERMARK
+    ret_dict['can_download_file'] = parse_repo_perm(user_perm).can_download
     if not ret_dict.has_key('filetype'):
         ret_dict['filetype'] = filetype
 
@@ -1338,7 +1349,8 @@ def file_edit_submit(request, repo_id):
     parent_dir = os.path.dirname(path)
 
     # edit file, so check parent_dir's permission
-    if check_folder_permission(request, repo_id, parent_dir) != 'rw':
+    if parse_repo_perm(check_folder_permission(
+            request, repo_id, parent_dir)).can_edit_on_web is False:
         return error_json(_(u'Permission denied'))
 
     try:
@@ -1440,7 +1452,8 @@ def file_edit(request, repo_id):
     filename = urllib2.quote(u_filename.encode('utf-8'))
     parent_dir = os.path.dirname(path)
 
-    if check_folder_permission(request, repo.id, parent_dir) != 'rw':
+    if parse_repo_perm(check_folder_permission(
+            request, repo.id, parent_dir)).can_edit_on_web is False:
         return render_permission_error(request, _(u'Unable to edit file'))
 
     head_id = repo.head_cmmt_id
@@ -1595,7 +1608,8 @@ def download_file(request, repo_id, obj_id):
     # only check the permissions at the repo level
     # to prevent file can not be downloaded on the history page
     # if it has been renamed
-    if check_folder_permission(request, repo_id, '/'):
+    if parse_repo_perm(check_folder_permission(
+            request, repo_id, '/')).can_download is True:
         # Get a token to access file
         token = seafile_api.get_fileserver_access_token(repo_id,
                 obj_id, 'download', username)
@@ -1628,8 +1642,8 @@ def get_file_content_by_commit_and_path(request, repo_id, commit_id, path, file_
     if not obj_id or obj_id == EMPTY_SHA1:
         return '', None
     else:
-        permission = check_folder_permission(request, repo_id, '/')
-        if permission:
+        if parse_repo_perm(check_folder_permission(
+                request, repo_id, '/')).can_preview is True:
             # Get a token to visit file
             token = seafile_api.get_fileserver_access_token(repo_id,
                     obj_id, 'view', request.user.username)
diff --git a/seahub/wopi/views.py b/seahub/wopi/views.py
index a7aecaadb5..2c85d01f84 100644
--- a/seahub/wopi/views.py
+++ b/seahub/wopi/views.py
@@ -19,10 +19,9 @@ from pysearpc import SearpcError
 from seaserv import seafile_api
 
 from seahub.base.accounts import User, ANONYMOUS_EMAIL
+from seahub.base.templatetags.seahub_tags import email2nickname
 from seahub.utils import gen_inner_file_get_url, \
     gen_inner_file_upload_url, is_pro_version
-from seahub.base.templatetags.seahub_tags import email2nickname
-
 from seahub.settings import SITE_ROOT
 
 from seahub.wopi.utils import get_file_info_by_token
diff --git a/static/scripts/app/collections/repos.js b/static/scripts/app/collections/repos.js
index f58c2c51eb..212b9705f6 100644
--- a/static/scripts/app/collections/repos.js
+++ b/static/scripts/app/collections/repos.js
@@ -15,7 +15,6 @@ define([
         },
 
         initialize: function(options) {
-            //console.log('init RepoCollection');
             if (options) {
                 this.type = options.type ? options.type : 'mine';
             }
diff --git a/static/scripts/app/models/repo.js b/static/scripts/app/models/repo.js
index 21dd3f8efa..821db0e7ca 100644
--- a/static/scripts/app/models/repo.js
+++ b/static/scripts/app/models/repo.js
@@ -54,16 +54,11 @@ define([
         },
 
         getIconTitle: function() {
-            var icon_title = '';
-            if (this.get('encrypted')) {
-                icon_title = gettext("Encrypted library");
-            } else if (this.get('permission') == "rw") {
-                icon_title = gettext("Read-Write library");
-            } else {
-                icon_title = gettext("Read-Only library");
-            }
-
-            return icon_title;
+            return Common.getLibIconTitle({
+                'encrypted': this.get('encrypted'),
+                'is_admin': this.get('is_admin'),
+                'permission': this.get('permission')
+            });
         }
 
     });
diff --git a/static/scripts/app/models/share-admin-folder.js b/static/scripts/app/models/share-admin-folder.js
index 73f1f80171..d131b8bee8 100644
--- a/static/scripts/app/models/share-admin-folder.js
+++ b/static/scripts/app/models/share-admin-folder.js
@@ -20,13 +20,9 @@ define([
         },
 
         getIconTitle: function() {
-            var icon_title = ''; 
-            if (this.get('share_permission') == "rw") {
-                icon_title = gettext("Read-Write");
-            } else {
-                icon_title = gettext("Read-Only");
-            }   
-            return icon_title;
+            return Common.getFolderIconTitle({
+                'permission': this.get('share_permission')
+            });
         }   
 
     });
diff --git a/static/scripts/app/models/share-admin-repo.js b/static/scripts/app/models/share-admin-repo.js
index 7d0dca4d3c..7316e28604 100644
--- a/static/scripts/app/models/share-admin-repo.js
+++ b/static/scripts/app/models/share-admin-repo.js
@@ -17,14 +17,11 @@ define([
         },
 
         getIconTitle: function() {
-            var icon_title = '';
-            if (this.get('share_permission') == "rw") {
-                icon_title = gettext("Read-Write");
-            } else {
-                icon_title = gettext("Read-Only");
-            }
-
-            return icon_title;
+            return Common.getLibIconTitle({
+                'encrypted': this.get('encrypted'),
+                'is_admin': this.get('is_admin'),
+                'permission': this.get('share_permission')
+            });
         }
 
     });
diff --git a/static/scripts/app/views/dir.js b/static/scripts/app/views/dir.js
index cd6e69f73f..90bbcdcabc 100644
--- a/static/scripts/app/views/dir.js
+++ b/static/scripts/app/views/dir.js
@@ -566,6 +566,17 @@ define([
 
             renderToolbar: function() {
                 var dir = this.dir;
+
+                // show 'share' or not
+                var can_share = false;
+                if (!dir.encrypted &&
+                    (app.pageOptions.can_generate_share_link ||
+                    app.pageOptions.can_generate_upload_link ||
+                    dir.is_repo_owner || dir.is_admin) &&
+                    (dir.user_perm == 'rw' || dir.user_perm == 'r')) {
+                    can_share = true;
+                }
+
                 var data = {
                     user_perm: dir.user_perm,
                     no_quota: dir.no_quota,
@@ -574,7 +585,7 @@ define([
                     path: dir.path,
                     repo_id: dir.repo_id,
                     is_repo_owner: dir.is_repo_owner,
-                    is_admin: dir.is_admin,
+                    can_share: can_share,
                     site_root: app.pageOptions.site_root
                 };
 
diff --git a/static/scripts/app/views/dirent-grid.js b/static/scripts/app/views/dirent-grid.js
index a80808aad0..44adcace5c 100644
--- a/static/scripts/app/views/dirent-grid.js
+++ b/static/scripts/app/views/dirent-grid.js
@@ -113,6 +113,23 @@ define([
                 can_set_folder_perm = true;
             }
 
+            // show 'share' or not
+            var can_share_dir = false;
+            var can_share_file = false;
+            var perm = this.model.get('perm');
+            if (!dir.repo_encrypted &&
+                (app.pageOptions.can_generate_share_link ||
+                app.pageOptions.can_generate_upload_link ||
+                (dir.is_repo_owner || dir.is_admin)) &&
+                (perm == 'rw' || perm == 'r')) {
+                can_share_dir = true;
+            }
+            if (!dir.repo_encrypted &&
+                app.pageOptions.can_generate_share_link &&
+                (perm == 'rw' || perm == 'r')) {
+                can_share_file = true;
+            }
+
             var op = template({
                 dirent: this.model.attributes,
                 dirent_path: this.model.getPath(),
@@ -120,8 +137,12 @@ define([
                 category: dir.category,
                 repo_id: dir.repo_id,
                 is_repo_owner: dir.is_repo_owner,
-                is_admin: dir.is_admin,
+
                 can_set_folder_perm: can_set_folder_perm,
+
+                can_share_dir: can_share_dir,
+                can_share_file: can_share_file,
+
                 can_generate_share_link: app.pageOptions.can_generate_share_link,
                 can_generate_upload_link: app.pageOptions.can_generate_upload_link,
                 is_pro: app.pageOptions.is_pro,
diff --git a/static/scripts/app/views/dirent.js b/static/scripts/app/views/dirent.js
index 0b8c5f83bd..4e48d8a20b 100644
--- a/static/scripts/app/views/dirent.js
+++ b/static/scripts/app/views/dirent.js
@@ -55,6 +55,23 @@ define([
                 can_set_folder_perm = true;
             }
 
+            // show 'share' or not
+            var can_share_dir = false;
+            var can_share_file = false;
+            var perm = this.model.get('perm');
+            if (!dir.repo_encrypted &&
+                (app.pageOptions.can_generate_share_link ||
+                app.pageOptions.can_generate_upload_link ||
+                (dir.is_repo_owner || dir.is_admin)) &&
+                (perm == 'rw' || perm == 'r')) {
+                can_share_dir = true;
+            }
+            if (!dir.repo_encrypted &&
+                app.pageOptions.can_generate_share_link &&
+                (perm == 'rw' || perm == 'r')) {
+                can_share_file = true;
+            }
+
             this.$el.html(template({
                 dirent: this.model.attributes,
                 dirent_path: dirent_path,
@@ -66,11 +83,13 @@ define([
                 category: dir.category,
                 repo_id: dir.repo_id,
                 is_repo_owner: dir.is_repo_owner,
-                is_admin: dir.is_admin,
                 repo_encrypted: dir.encrypted,
 
                 can_set_folder_perm: can_set_folder_perm,
 
+                can_share_dir: can_share_dir,
+                can_share_file: can_share_file,
+
                 can_generate_share_link: app.pageOptions.can_generate_share_link,
                 can_generate_upload_link: app.pageOptions.can_generate_upload_link,
                 is_pro: app.pageOptions.is_pro,
diff --git a/static/scripts/app/views/share-admin-folder.js b/static/scripts/app/views/share-admin-folder.js
index c9f742a009..f911023444 100644
--- a/static/scripts/app/views/share-admin-folder.js
+++ b/static/scripts/app/views/share-admin-folder.js
@@ -101,13 +101,30 @@ define([
         render: function() {
             var obj = this.model.toJSON(),
                 icon_size = Common.isHiDPI() ? 96 : 24,
-                icon_url = this.model.getIconUrl(icon_size);
+                icon_url = this.model.getIconUrl(icon_size),
+                cur_perm_text;
+
+            switch(obj.share_permission) {
+                case 'rw':
+                    cur_perm_text = gettext("Read-Write");
+                    break;
+                case 'r':
+                    cur_perm_text = gettext("Read-Only");
+                    break;
+                case 'cloud-edit':
+                    cur_perm_text = gettext("Preview-Edit-on-Cloud");
+                    break;
+                case 'preview':
+                    cur_perm_text = gettext("Preview-on-Cloud");
+                    break;
+            }
 
             _.extend(obj, {
                 'icon_url': icon_url,
                 'icon_title': this.model.getIconTitle(),
                 'url': this.model.getWebUrl(),
-                'name': this.model.get('folder_name')
+                'name': this.model.get('folder_name'),
+                'cur_perm_text': cur_perm_text
             });
 
             this.$el.html(this.template(obj));
diff --git a/static/scripts/app/views/share-admin-repo.js b/static/scripts/app/views/share-admin-repo.js
index 5fdbebcea2..859cb64ee7 100644
--- a/static/scripts/app/views/share-admin-repo.js
+++ b/static/scripts/app/views/share-admin-repo.js
@@ -110,19 +110,36 @@ define([
             var obj = this.model.toJSON(),
                 icon_size = Common.isHiDPI() ? 48 : 24,
                 icon_url = this.model.getIconUrl(icon_size),
-                share_type = this.model.get('share_type');
+                share_type = this.model.get('share_type'),
+                cur_perm_text;
 
             this.show_admin = false;
             if (app.pageOptions.is_pro && share_type != 'public') {
                 this.show_admin = true;
             }
 
+            switch(obj.share_permission) {
+                case 'rw':
+                    cur_perm_text = gettext("Read-Write");
+                    break;
+                case 'r':
+                    cur_perm_text = gettext("Read-Only");
+                    break;
+                case 'cloud-edit':
+                    cur_perm_text = gettext("Preview-Edit-on-Cloud");
+                    break;
+                case 'preview':
+                    cur_perm_text = gettext("Preview-on-Cloud");
+                    break;
+            }
+
             _.extend(obj, {
                 'icon_url': icon_url,
                 'icon_title': this.model.getIconTitle(),
                 'url': this.model.getWebUrl(),
                 'name': this.model.get('repo_name'),
-                'show_admin': this.show_admin
+                'show_admin': this.show_admin,
+                'cur_perm_text': cur_perm_text
             });
 
             this.$el.html(this.template(obj));
diff --git a/static/scripts/common.js b/static/scripts/common.js
index ff1b03e81a..744d0ee091 100644
--- a/static/scripts/common.js
+++ b/static/scripts/common.js
@@ -343,16 +343,51 @@ define([
             return app.config.mediaUrl + 'img/lib/' + icon_size + '/' + icon_name;
         },
 
-        getLibIconTitle: function(is_encrypted, is_readonly) {
-            if (is_encrypted) {
-                return gettext("Encrypted library");
-            } else if (is_readonly) {
-                return gettext("Read-Only library");
+        getLibIconTitle: function(options) {
+            var title;
+            if (options.encrypted) {
+                title = gettext("Encrypted library");
+            } else if (options.is_admin) { // shared with 'admin' permission
+                title = gettext("Admin access");
             } else {
-                return gettext("Read-Write library");
+                switch(options.permission) {
+                    case 'rw':
+                        title = gettext("Read-Write library");
+                        break;
+                    case 'r':
+                        title = gettext("Read-Only library");
+                        break;
+                    case 'cloud-edit':
+                        title = gettext("Preview-Edit-on-Cloud library");
+                        break;
+                    case 'preview':
+                        title = gettext("Preview-on-Cloud library");
+                        break;
+                }
             }
+            return title;
         },
 
+        getFolderIconTitle: function(options) {
+            var title;
+            switch(options.permission) {
+                case 'rw':
+                    title = gettext("Read-Write folder");
+                    break;
+                case 'r':
+                    title = gettext("Read-Only folder");
+                    break;
+                case 'cloud-edit':
+                    title = gettext("Preview-Edit-on-Cloud folder");
+                    break;
+                case 'preview':
+                    title = gettext("Preview-on-Cloud folder");
+                    break;
+            }
+            return title;
+        },
+
+
         isHiDPI: function() {
             var pixelRatio = window.devicePixelRatio ? window.devicePixelRatio : 1;
             if (pixelRatio > 1) {
diff --git a/static/scripts/sysadmin-app/models/group-repo.js b/static/scripts/sysadmin-app/models/group-repo.js
index 2c410429a4..c5233ae25b 100644
--- a/static/scripts/sysadmin-app/models/group-repo.js
+++ b/static/scripts/sysadmin-app/models/group-repo.js
@@ -15,9 +15,10 @@ define([
         },
 
         getIconTitle: function() {
-            var is_encrypted = this.get('encrypted');
-            var is_readonly = this.get('permission') == "r" ? true : false;
-            return Common.getLibIconTitle(is_encrypted, is_readonly);
+            return Common.getLibIconTitle({
+                'encrypted': this.get('encrypted'),
+                'permission': this.get('permission')
+            });
         }
     });
 
diff --git a/static/scripts/sysadmin-app/models/repo.js b/static/scripts/sysadmin-app/models/repo.js
index f78364e93c..d665b24c91 100644
--- a/static/scripts/sysadmin-app/models/repo.js
+++ b/static/scripts/sysadmin-app/models/repo.js
@@ -12,8 +12,11 @@ define([
         },
 
         getIconTitle: function() {
-            var is_encrypted = this.get('encrypted');
-            return Common.getLibIconTitle(is_encrypted, false);
+            return Common.getLibIconTitle({
+                'encrypted': this.get('encrypted'),
+                'permission': 'rw'
+            });
+
         }
     });
 
diff --git a/tests/api/endpoints/test_dir_shared_items.py b/tests/api/endpoints/test_dir_shared_items.py
index 0fa9cc3bea..cc51a65d55 100644
--- a/tests/api/endpoints/test_dir_shared_items.py
+++ b/tests/api/endpoints/test_dir_shared_items.py
@@ -8,6 +8,7 @@ from seaserv import seafile_api
 
 from tests.common.utils import randstring
 
+from seahub.constants import PERMISSION_PREVIEW, PERMISSION_PREVIEW_EDIT
 from seahub.test_utils import BaseTestCase, TRAVIS
 
 
@@ -243,6 +244,24 @@ class DirSharedItemsTest(BaseTestCase):
         json_resp = json.loads(resp.content)
         assert 'has been shared to' in json_resp['failed'][0]['error_msg']
 
+    def test_can_share_repo_to_groups_with_perms(self):
+        self.login_as(self.user)
+
+        grp1 = self.group
+        grp2 = self.create_group(group_name="test-grp2",
+                                 username=self.user.username)
+
+        for g, perm in [(grp1, PERMISSION_PREVIEW), (grp2, PERMISSION_PREVIEW_EDIT)]:
+            resp = self.client.put(
+                '/api2/repos/%s/dir/shared_items/?p=/' % (self.repo.id),
+                "share_type=group&&group_id=%d&permission=%s" % (g.id, perm),
+                'application/x-www-form-urlencoded',
+            )
+            self.assertEqual(200, resp.status_code)
+            json_resp = json.loads(resp.content)
+            assert len(json_resp['success']) == 1
+            assert json_resp['success'][0]['permission'] == perm
+
     @pytest.mark.skipif(TRAVIS, reason="") # pylint: disable=E1101
     def test_can_share_repo_to_org_groups(self):
         self.login_as(self.org_user)
diff --git a/tests/api/endpoints/test_group_libraries.py b/tests/api/endpoints/test_group_libraries.py
index 724a62cb32..5c7dc7f6cb 100644
--- a/tests/api/endpoints/test_group_libraries.py
+++ b/tests/api/endpoints/test_group_libraries.py
@@ -8,7 +8,9 @@ from tests.common.utils import randstring
 
 from seahub.test_utils import BaseTestCase
 from seahub.share.models import ExtraGroupsSharePermission
-from seahub.constants import PERMISSION_ADMIN
+from seahub.constants import (
+    PERMISSION_ADMIN, PERMISSION_PREVIEW, PERMISSION_PREVIEW_EDIT)
+
 
 class GroupLibrariesTest(BaseTestCase):
 
@@ -76,6 +78,27 @@ class GroupLibrariesTest(BaseTestCase):
         group_repos = seafile_api.get_repos_by_group(self.group_id)
         assert len(group_repos) == 1
 
+    def test_can_create_with_perms(self):
+        group_repos = seafile_api.get_repos_by_group(self.group_id)
+        assert len(group_repos) == 0
+
+        self.login_as(self.user)
+
+        for perm in [PERMISSION_PREVIEW, PERMISSION_PREVIEW_EDIT]:
+            repo_name = randstring(6)
+            resp = self.client.post(self.group_libraries_url, {
+                'repo_name': repo_name,
+                'permission': perm
+            })
+            self.assertEqual(200, resp.status_code)
+
+            json_resp = json.loads(resp.content)
+            assert json_resp['repo_name'] == repo_name
+            assert json_resp['permission'] == perm
+
+        group_repos = seafile_api.get_repos_by_group(self.group_id)
+        assert len(group_repos) == 2
+
     def test_create_with_login_user_is_not_group_member(self):
 
         self.login_as(self.admin)
diff --git a/tests/seahub/utils/test_repo.py b/tests/seahub/utils/test_repo.py
index 2f2c257058..9f7f41640d 100644
--- a/tests/seahub/utils/test_repo.py
+++ b/tests/seahub/utils/test_repo.py
@@ -1,4 +1,8 @@
-from seahub.utils.repo import get_repo_shared_users, get_repo_owner
+from seahub.constants import (
+    PERMISSION_PREVIEW, PERMISSION_PREVIEW_EDIT,
+    PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN
+)
+from seahub.utils.repo import get_repo_shared_users, get_repo_owner, parse_repo_perm
 from seahub.test_utils import BaseTestCase
 
 import seaserv
@@ -37,3 +41,39 @@ class GetRepoSharedUsersTest(BaseTestCase):
         seafile_api.set_group_repo(self.repo.id, self.group.id,
                                    username, 'rw')
         assert get_repo_shared_users(self.repo.id, owner) == [self.admin.username, self.user2.username]
+
+
+class TestParseRepoPerm(BaseTestCase):
+    def test_parse_repo_perm_download(self):
+        assert parse_repo_perm(PERMISSION_ADMIN).can_download is True
+        assert parse_repo_perm(PERMISSION_READ_WRITE).can_download is True
+        assert parse_repo_perm(PERMISSION_READ).can_download is True
+        assert parse_repo_perm(PERMISSION_PREVIEW).can_download is False
+        assert parse_repo_perm(PERMISSION_PREVIEW_EDIT).can_download is False
+
+    def test_parse_repo_perm_upload(self):
+        assert parse_repo_perm(PERMISSION_ADMIN).can_upload is True
+        assert parse_repo_perm(PERMISSION_READ_WRITE).can_upload is True
+        assert parse_repo_perm(PERMISSION_READ).can_upload is False
+        assert parse_repo_perm(PERMISSION_PREVIEW).can_upload is False
+        assert parse_repo_perm(PERMISSION_PREVIEW_EDIT).can_upload is False
+
+    def test_valid_prop(self):
+        assert parse_repo_perm(PERMISSION_READ).can_download is True
+        if parse_repo_perm(PERMISSION_READ).can_download:
+            assert True
+        else:
+            assert False
+
+        assert parse_repo_perm(PERMISSION_PREVIEW).can_download is False
+        if parse_repo_perm(PERMISSION_PREVIEW).can_download:
+            assert False
+        else:
+            assert True
+
+    def test_invalid_prop(self):
+        try:
+            parse_repo_perm(PERMISSION_READ).can_downloadxx
+            assert False
+        except AttributeError:
+            assert True