diff --git a/code/rest/share_controller.go b/code/rest/share_controller.go
index 5e02d5d..d28f094 100644
--- a/code/rest/share_controller.go
+++ b/code/rest/share_controller.go
@@ -183,7 +183,6 @@ func (this *ShareController) Permits(writer http.ResponseWriter, request *http.R
 	uuid := request.FormValue("uuid")
 	update := request.FormValue("update")
 	permitList := request.FormValue("permitList")
-	//uid := request.FormValue("uid") //当前用户
 
 	if uuid == "" {
 		panic(result.BadRequest("uuid cannot be null"))
@@ -197,6 +196,10 @@ func (this *ShareController) Permits(writer http.ResponseWriter, request *http.R
 	//通过users参数进行逻辑分支处理
 	if update == "true" && permitList != "" {
 		length := request.FormValue("len")
+		user := this.checkUser(request)
+		if share.UserUuid != user.Uuid {
+			panic(result.Unauthorized("have no permission for editing"))
+		}
 
 		permited, err := checkFormatOfPermitList(permitList, length)
 		if err != nil {
@@ -339,7 +342,13 @@ func (this *ShareController) Browse(writer http.ResponseWriter, request *http.Re
 	rootUuid := request.FormValue("rootUuid")
 
 	user := this.findUser(request)
+
 	share := this.shareService.CheckShare(request, shareUuid, code, user)
+	//by han: add permitList verification feature
+	if user.Uuid != share.UserUuid && share.PermitList != "" && !strings.Contains(share.PermitList, user.Uuid) {
+		panic(result.UNAUTHORIZED)
+	}
+
 	bridges := this.bridgeDao.FindByShareUuid(share.Uuid)
 
 	if puuid == MATTER_ROOT {
@@ -416,6 +425,12 @@ func (this *ShareController) Zip(writer http.ResponseWriter, request *http.Reque
 
 		//download all things.
 		share := this.shareService.CheckShare(request, shareUuid, code, user)
+
+		//by han: add verification for downloadAPI
+		if user.Uuid != share.UserUuid && share.PermitList != "" && !strings.Contains(share.PermitList, user.Uuid) {
+			panic(result.UNAUTHORIZED)
+		}
+
 		bridges := this.bridgeDao.FindByShareUuid(share.Uuid)
 		var matterUuids []string
 		for _, bridge := range bridges {
diff --git a/code/rest/user_service.go b/code/rest/user_service.go
index c6ad24b..d8e42c8 100644
--- a/code/rest/user_service.go
+++ b/code/rest/user_service.go
@@ -1,6 +1,7 @@
 package rest
 
 import (
+	"encoding/base64"
 	"net/http"
 	"os"
 	"time"
@@ -114,7 +115,12 @@ func (this *UserService) MatterUnlock(userUuid string) {
 // load session to SessionCache. This method will be invoked in every request.
 // authorize by 1. cookie 2. username and password in request form. 3. Basic Auth
 func (this *UserService) PreHandle(writer http.ResponseWriter, request *http.Request) {
-	userid := request.Header.Get("user-id")
+	identifier, err := base64.StdEncoding.DecodeString(request.Header.Get("Identifier"))
+	if err != nil {
+		panic(result.LOGIN)
+	}
+
+	userid := string(identifier)
 	sessionId := util.GetSessionUuidFromRequest(request, core.COOKIE_AUTH_KEY)
 
 	var user *User