diff --git a/frontend/src/markdown-editor.js b/frontend/src/markdown-editor.js
index 9167fc0796..66b61b0830 100644
--- a/frontend/src/markdown-editor.js
+++ b/frontend/src/markdown-editor.js
@@ -94,6 +94,22 @@ class EditorUtilities {
     );
   }
 
+  uploadLocalImage = (imageFile) => {
+    return (
+      seafileAPI.getUploadLink(repoID, dirPath).then((res) => {
+        const uploadLink = res.data + '?ret-json=1';
+        const newFile = new File([imageFile], imageFile.name, {type: imageFile.type});
+        const formData = new FormData();
+        formData.append('parent_dir', '/');
+        formData.append('relative_path', 'images');
+        formData.append('file', newFile);
+        return seafileAPI.uploadImage(uploadLink, formData);
+      }).then ((res) => {
+        return this._getImageURL(res.data[0].name);
+      })
+    );
+  }
+
   getFileURL(fileNode) {
     var url;
     if (fileNode.type === 'file') {
diff --git a/seahub/api2/endpoints/draft_review_reviewer.py b/seahub/api2/endpoints/draft_review_reviewer.py
index 883c1fd66d..b7b5b8ebf9 100644
--- a/seahub/api2/endpoints/draft_review_reviewer.py
+++ b/seahub/api2/endpoints/draft_review_reviewer.py
@@ -1,4 +1,6 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
+import posixpath
+
 from rest_framework import status
 from rest_framework.authentication import SessionAuthentication
 from rest_framework.permissions import IsAuthenticated
@@ -86,8 +88,10 @@ class DraftReviewReviewerView(APIView):
                 })
                 continue
 
+            uuid = r.origin_file_uuid
+            origin_file_path = posixpath.join(uuid.parent_path, uuid.filename)
             # check perm
-            if seafile_api.check_permission_by_path(r.origin_repo_id, r.origin_file_path, reviewer) != 'rw':
+            if seafile_api.check_permission_by_path(r.origin_repo_id, origin_file_path, reviewer) != 'rw':
                 error_msg = _(u'Permission denied.')
                 result['failed'].append({
                     'email': reviewer,