diff --git a/seahub/base/accounts.py b/seahub/base/accounts.py
index cfc360c43e..a4bf9e3b74 100644
--- a/seahub/base/accounts.py
+++ b/seahub/base/accounts.py
@@ -180,10 +180,11 @@ class UserPermissions(object):
                 return False
         elif self.user.is_staff:
             return True
-        elif self._get_perm_by_roles('can_add_public_repo'):
+        elif self._get_perm_by_roles('can_add_public_repo') and \
+                bool(config.ENABLE_USER_CREATE_ORG_REPO):
             return True
         else:
-            return bool(config.ENABLE_USER_CREATE_ORG_REPO)
+            return False
 
     def can_drag_drop_folder_to_sync(self):
         return self._get_perm_by_roles('can_drag_drop_folder_to_sync')
diff --git a/tests/api/endpoints/test_shared_repos.py b/tests/api/endpoints/test_shared_repos.py
index 92c1c9f6c8..ba7ab60930 100644
--- a/tests/api/endpoints/test_shared_repos.py
+++ b/tests/api/endpoints/test_shared_repos.py
@@ -9,6 +9,7 @@ from seaserv import seafile_api
 from seahub.profile.models import Profile
 from seahub.test_utils import BaseTestCase, TRAVIS
 from tests.common.utils import randstring
+from mock import patch, MagicMock
 
 
 class SharedReposTest(BaseTestCase):
@@ -219,6 +220,7 @@ class SharedReposTest(BaseTestCase):
         target_repo = [repo for repo in repos if repo.repo_id == self.org_repo.id]
         assert target_repo[0].permission == 'r'
 
+    @patch('seahub.base.accounts.UserPermissions.can_add_public_repo', MagicMock(return_value=True))
     def test_can_update_public_share_perm(self):
         for r in seaserv.seafserv_threaded_rpc.list_inner_pub_repos():
             seafile_api.remove_inner_pub_repo(r.repo_id)
@@ -229,6 +231,7 @@ class SharedReposTest(BaseTestCase):
         assert repos[0].permission == 'rw'
 
         self.login_as(self.user)
+        assert self.user.permissions.can_add_public_repo() is True
 
         url = reverse('api-v2.1-shared-repo', args=[self.repo_id])
         data = 'permission=r&share_type=public'
@@ -239,6 +242,15 @@ class SharedReposTest(BaseTestCase):
         repos = seafile_api.list_inner_pub_repos_by_owner(self.user_name)
         assert repos[0].permission == 'r'
 
+    def test_can_not_update_public_share_perm_when_add_public_repo_disabled(self):
+        self.login_as(self.user)
+        assert self.user.permissions.can_add_public_repo() is False
+
+        url = reverse('api-v2.1-shared-repo', args=[self.repo_id])
+        data = 'permission=r&share_type=public'
+        resp = self.client.put(url, data, 'application/x-www-form-urlencoded')
+        self.assertEqual(403, resp.status_code)
+
     def test_delete_user_share(self):
         self.share_repo_to_user()
 
diff --git a/tests/api/test_public_repo.py b/tests/api/test_public_repo.py
index 86a5132f46..12d84d9337 100644
--- a/tests/api/test_public_repo.py
+++ b/tests/api/test_public_repo.py
@@ -6,6 +6,7 @@ pytestmark = pytest.mark.django_db
 from seaserv import seafile_api, ccnet_threaded_rpc
 
 from seahub.test_utils import BaseTestCase
+from mock import patch, MagicMock
 
 
 class RepoPublicTest(BaseTestCase):
@@ -44,14 +45,23 @@ class RepoPublicTest(BaseTestCase):
         json_resp = json.loads(resp.content)
         assert 'success' in json_resp
 
+    @patch('seahub.base.accounts.UserPermissions.can_add_public_repo', MagicMock(return_value=True))
     def test_user_can_set_pub_repo(self):
         self.login_as(self.user)
+        assert self.user.permissions.can_add_public_repo() is True
 
         resp = self.client.put(self.user_repo_url+'?share_type=public&permission=rw')
         self.assertEqual(200, resp.status_code)
         json_resp = json.loads(resp.content)
         assert 'success' in json_resp
 
+    def test_user_can_not_set_pub_repo_when_add_public_repo_disabled(self):
+        self.login_as(self.user)
+        assert self.user.permissions.can_add_public_repo() is False
+
+        resp = self.client.put(self.user_repo_url+'?share_type=public&permission=rw')
+        self.assertEqual(403, resp.status_code)
+
     def test_admin_can_set_pub_repo_when_setting_disalbed(self):
         assert bool(self.config.ENABLE_USER_CREATE_ORG_REPO) is True
         self.config.ENABLE_USER_CREATE_ORG_REPO = False
diff --git a/tests/api/test_shared_repo.py b/tests/api/test_shared_repo.py
index f9d04a4041..f7b8a32446 100644
--- a/tests/api/test_shared_repo.py
+++ b/tests/api/test_shared_repo.py
@@ -3,6 +3,7 @@ pytestmark = pytest.mark.django_db
 
 from seahub.test_utils import BaseTestCase
 from seaserv import seafile_api
+from mock import patch, MagicMock
 
 
 class SharedRepoTest(BaseTestCase):
@@ -28,14 +29,24 @@ class SharedRepoTest(BaseTestCase):
         self.assertEqual(200, resp.status_code)
         assert "success" in resp.content
 
+    @patch('seahub.base.accounts.UserPermissions.can_add_public_repo', MagicMock(return_value=True))
     def test_user_can_share_repo_to_public(self):
         self.login_as(self.user)
+        assert self.user.permissions.can_add_public_repo() is True
 
         url = self.shared_repo_url % self.repo.id
         resp = self.client.put(url)
         self.assertEqual(200, resp.status_code)
         assert "success" in resp.content
 
+    def test_user_can_not_share_repo_to_public_when_add_public_repo_disabled(self):
+        self.login_as(self.user)
+        assert self.user.permissions.can_add_public_repo() is False
+
+        url = self.shared_repo_url % self.repo.id
+        resp = self.client.put(url)
+        self.assertEqual(403, resp.status_code)
+
     def test_admin_can_set_pub_repo_when_setting_disalbed(self):
         assert bool(self.config.ENABLE_USER_CREATE_ORG_REPO) is True
         self.config.ENABLE_USER_CREATE_ORG_REPO = False
diff --git a/tests/seahub/base/test_accounts.py b/tests/seahub/base/test_accounts.py
index 37c56ac6cb..7ae60a0180 100644
--- a/tests/seahub/base/test_accounts.py
+++ b/tests/seahub/base/test_accounts.py
@@ -3,6 +3,54 @@ from seahub.base.accounts import User, RegistrationForm
 
 from seahub.options.models import UserOptions
 from post_office.models import Email
+from django.core.urlresolvers import reverse
+from mock import patch
+
+
+TEST_ADD_PUBLIC_ENABLED_ROLE_PERMISSIONS = {
+    'default': {
+        'can_add_repo': True,
+        'can_add_group': True,
+        'can_view_org': True,
+        'can_add_public_repo': True,
+        'can_use_global_address_book': True,
+        'can_generate_share_link': True,
+        'can_generate_upload_link': True,
+        'can_send_share_link_mail': True,
+        'can_invite_guest': False,
+        'can_drag_drop_folder_to_sync': True,
+        'can_connect_with_android_clients': True,
+        'can_connect_with_ios_clients': True,
+        'can_connect_with_desktop_clients': True,
+        'can_export_files_via_mobile_client': True,
+        'storage_ids': [],
+        'role_quota': '',
+        'can_use_wiki': True,
+    },
+    'guest': {
+        'can_add_repo': False,
+        'can_add_group': False,
+        'can_view_org': False,
+        'can_add_public_repo': False,
+        'can_use_global_address_book': False,
+        'can_generate_share_link': False,
+        'can_generate_upload_link': False,
+        'can_send_share_link_mail': False,
+        'can_invite_guest': False,
+        'can_drag_drop_folder_to_sync': False,
+        'can_connect_with_android_clients': False,
+        'can_connect_with_ios_clients': False,
+        'can_connect_with_desktop_clients': False,
+        'can_export_files_via_mobile_client': False,
+        'storage_ids': [],
+        'role_quota': '',
+        'can_use_wiki': False,
+    },
+}
+
+CLOUD_MODE_TRUE = True
+MULTI_TENANCY_TRUE = True
+MULTI_TENANCY_FALSE = False
 
 class UserTest(BaseTestCase):
     def test_freeze_user(self):
@@ -33,6 +81,10 @@ class UserTest(BaseTestCase):
         assert len(UserOptions.objects.filter(email=test_email)) == 0
 
 class UserPermissionsTest(BaseTestCase):
+    def setUp(self):
+        from constance import config
+        self.config = config
+
     def test_permissions(self):
         assert self.user.permissions.can_add_repo() is True
         assert self.user.permissions.can_add_group() is True
@@ -48,6 +100,45 @@ class UserPermissionsTest(BaseTestCase):
 
         assert self.user.permissions.can_export_files_via_mobile_client() is True
 
+    def test_admin_permissions_can_add_public_repo(self):
+
+        assert self.admin.permissions.can_add_public_repo() is True
+
+    @patch('seahub.base.accounts.CLOUD_MODE', CLOUD_MODE_TRUE)
+    def test_CLOUD_MODE_permissions_can_add_public_repo(self):
+
+        with patch('seahub.base.accounts.MULTI_TENANCY', MULTI_TENANCY_TRUE):
+            assert self.user.permissions.can_add_public_repo() is True
+        with patch('seahub.base.accounts.MULTI_TENANCY', MULTI_TENANCY_FALSE):
+            assert self.user.permissions.can_add_public_repo() is False
+
+    def test_user_permissions_can_add_public_repo(self):
+        # both have
+        self.config.ENABLE_USER_CREATE_ORG_REPO = 1
+        assert bool(self.config.ENABLE_USER_CREATE_ORG_REPO) is True
+        with patch('seahub.role_permissions.utils.ENABLED_ROLE_PERMISSIONS', TEST_ADD_PUBLIC_ENABLED_ROLE_PERMISSIONS):
+            assert self.user.permissions._get_perm_by_roles('can_add_public_repo') is True
+            assert self.user.permissions.can_add_public_repo() is True
+
+        # only have can_add_public_repo
+        self.config.ENABLE_USER_CREATE_ORG_REPO = 0
+        assert bool(self.config.ENABLE_USER_CREATE_ORG_REPO) is False
+        with patch('seahub.role_permissions.utils.ENABLED_ROLE_PERMISSIONS', TEST_ADD_PUBLIC_ENABLED_ROLE_PERMISSIONS):
+            assert self.user.permissions._get_perm_by_roles('can_add_public_repo') is True
+            assert self.user.permissions.can_add_public_repo() is False
+
+        # only have ENABLE_USER_CREATE_ORG_REPO
+        self.config.ENABLE_USER_CREATE_ORG_REPO = 1
+        assert bool(self.config.ENABLE_USER_CREATE_ORG_REPO) is True
+        assert self.user.permissions._get_perm_by_roles('can_add_public_repo') is False
+        assert self.user.permissions.can_add_public_repo() is False
+
+        # neither have
+        self.config.ENABLE_USER_CREATE_ORG_REPO = 0
+        assert bool(self.config.ENABLE_USER_CREATE_ORG_REPO) is False
+        assert self.user.permissions._get_perm_by_roles('can_add_public_repo') is False
+        assert self.user.permissions.can_add_public_repo() is False
+
 
 class RegistrationFormTest(BaseTestCase):
     def setUp(self):
diff --git a/tests/seahub/views/init/test_libraries.py b/tests/seahub/views/init/test_libraries.py
index 976797420d..67ea581f4e 100644
--- a/tests/seahub/views/init/test_libraries.py
+++ b/tests/seahub/views/init/test_libraries.py
@@ -6,6 +6,8 @@ pytestmark = pytest.mark.django_db
 
 from seahub.options.models import UserOptions
 from seahub.test_utils import BaseTestCase
+from mock import patch, MagicMock
+
 
 class LibrariesTest(BaseTestCase):
     def setUp(self):
@@ -36,16 +38,13 @@ class LibrariesTest(BaseTestCase):
         # user
         self.login_as(self.user)
 
-        self.config.ENABLE_USER_CREATE_ORG_REPO = 1
-        assert bool(self.config.ENABLE_USER_CREATE_ORG_REPO) is True
-
-        resp = self.client.get(self.url)
-        self.assertEqual(200, resp.status_code)
-        assert resp.context['can_add_public_repo'] is True
-
-        self.config.ENABLE_USER_CREATE_ORG_REPO = 0
-        assert bool(self.config.ENABLE_USER_CREATE_ORG_REPO) is False
+        # can_add_public_repo
+        with patch('seahub.base.accounts.UserPermissions.can_add_public_repo', MagicMock(return_value=True)):
+            resp = self.client.get(self.url)
+            self.assertEqual(200, resp.status_code)
+            assert resp.context['can_add_public_repo'] is True
 
+        # can_not_add_public_repo
         resp = self.client.get(self.url)
         self.assertEqual(200, resp.status_code)
         assert resp.context['can_add_public_repo'] is False