diff --git a/seahub/api2/endpoints/dtable.py b/seahub/api2/endpoints/dtable.py
index 4c95f3220f..3cb394616f 100644
--- a/seahub/api2/endpoints/dtable.py
+++ b/seahub/api2/endpoints/dtable.py
@@ -641,7 +641,14 @@ def dtable_file_view(request, workspace_id, name):
     return render(request, 'dtable_file_view_react.html', return_dict)
 
 
-def dtable_asset_access(request, workspace_id, dtable_id, name):
+def dtable_asset_access(request, workspace_id, dtable_id, path):
+
+    # asset file type check
+    asset_name = os.path.basename(normalize_file_path(path))
+    file_type, file_ext = get_file_type_and_ext(asset_name)
+    if file_type != IMAGE:
+        err_msg = 'Invalid file type'
+        return render_error(request, err_msg)
 
     # resource check
     workspace = Workspaces.objects.get_workspace_by_id(workspace_id)
@@ -653,20 +660,20 @@ def dtable_asset_access(request, workspace_id, dtable_id, name):
     if not repo:
         raise Http404
 
-    asset_file_path = os.path.join('/asset', dtable_id, name)
-    asset_file_id = seafile_api.get_file_id_by_path(repo_id, asset_file_path)
-    if not asset_file_id:
+    asset_path = normalize_file_path(os.path.join('/asset', dtable_id, path))
+    asset_id = seafile_api.get_file_id_by_path(repo_id, asset_path)
+    if not asset_id:
         raise Http404
 
-    # check file type
-    file_type, file_ext = get_file_type_and_ext(name)
-    if file_type != IMAGE:
-        err_msg = 'Invalid file type'
-        return render_error(request, err_msg)
+    # permission check
+    username = request.user.username
+    owner = workspace.owner
+    if username != owner:
+        return render_permission_error(request, 'Permission denied.')
 
-    token = seafile_api.get_fileserver_access_token(repo_id, asset_file_id,
-                                                    'view', '', use_onetime=False)
+    token = seafile_api.get_fileserver_access_token(repo_id, asset_id, 'view',
+                                                    '', use_onetime=False)
 
-    url = gen_file_get_url(token, name)
+    url = gen_file_get_url(token, asset_name)
 
     return HttpResponseRedirect(url)
diff --git a/seahub/urls.py b/seahub/urls.py
index 3be3b4c01a..7a2425d3e6 100644
--- a/seahub/urls.py
+++ b/seahub/urls.py
@@ -364,7 +364,7 @@ urlpatterns = [
     url(r'^api/v2.1/workspace/(?P<workspace_id>\d+)/dtable-update-link/$', DTableUpdateLinkView.as_view(), name='api-v2.1-workspace-dtable-update-link'),
     url(r'^api/v2.1/workspace/(?P<workspace_id>\d+)/dtable-asset-upload-link/$', DTableAssetUploadLinkView.as_view(), name='api-v2.1-workspace-dtable-asset-upload-link'),
     url(r'^workspace/(?P<workspace_id>\d+)/dtable/(?P<name>.*)/$', dtable_file_view, name='dtable-file-view'),
-    url(r'^workspace/(?P<workspace_id>\d+)/asset/(?P<dtable_id>[-0-9a-f]{36})/(?P<name>.*)/', dtable_asset_access, name='dtable-asset-access'),
+    url(r'^workspace/(?P<workspace_id>\d+)/asset/(?P<dtable_id>[-0-9a-f]{36})/(?P<path>.*)$', dtable_asset_access, name='dtable-asset-access'),
 
     # Deprecated
     url(r'^api/v2.1/repos/(?P<repo_id>[-0-9a-f]{36})/tags/$', FileTagsView.as_view(), name="api-v2.1-filetags-view"),