diff --git a/datastore_server/source/java/ch/ethz/sis/openbis/generic/server/dssapi/v3/DataStoreServerApi.java b/datastore_server/source/java/ch/ethz/sis/openbis/generic/server/dssapi/v3/DataStoreServerApi.java
index df07a8c792233ee022a5bcdbf667f9200eed580b..ce1aa5e080a31cc9accafe9ceee6d26bf7b4f934 100644
--- a/datastore_server/source/java/ch/ethz/sis/openbis/generic/server/dssapi/v3/DataStoreServerApi.java
+++ b/datastore_server/source/java/ch/ethz/sis/openbis/generic/server/dssapi/v3/DataStoreServerApi.java
@@ -49,6 +49,7 @@ import ch.ethz.sis.openbis.generic.dssapi.v3.dto.datasetfile.id.DataSetFilePermI
 import ch.ethz.sis.openbis.generic.dssapi.v3.dto.datasetfile.id.IDataSetFileId;
 import ch.ethz.sis.openbis.generic.dssapi.v3.dto.datasetfile.search.DataSetFileSearchCriteria;
 import ch.ethz.sis.openbis.generic.server.dssapi.v3.download.DataSetFileDownloadInputStream;
+import ch.systemsx.cisd.common.exceptions.Status;
 import ch.systemsx.cisd.common.filesystem.IFreeSpaceProvider;
 import ch.systemsx.cisd.common.filesystem.SimpleFreeSpaceProvider;
 import ch.systemsx.cisd.common.logging.LogCategory;
@@ -63,6 +64,7 @@ import ch.systemsx.cisd.openbis.dss.generic.server.plugins.tasks.IPluginTaskInfo
 import ch.systemsx.cisd.openbis.dss.generic.shared.IEncapsulatedOpenBISService;
 import ch.systemsx.cisd.openbis.dss.generic.shared.IHierarchicalContentProvider;
 import ch.systemsx.cisd.openbis.dss.generic.shared.IShareIdManager;
+import ch.systemsx.cisd.openbis.dss.generic.shared.api.internal.authorization.DssSessionAuthorizationHolder;
 import ch.systemsx.cisd.openbis.generic.server.authorization.annotation.RolesAllowed;
 import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
 import ch.systemsx.cisd.openbis.plugin.query.shared.api.v1.IQueryApiServer;
@@ -211,22 +213,26 @@ public class DataStoreServerApi extends AbstractDssServiceRpc<IDataStoreServerAp
                 if (filePermId.getDataSetId() instanceof DataSetPermId)
                 {
                     String dataSetCode = ((DataSetPermId) filePermId.getDataSetId()).getPermId();
-                    String filePath = filePermId.getFilePath();
+                    Status authorizationStatus = DssSessionAuthorizationHolder.getAuthorizer().checkDatasetAccess(sessionToken, dataSetCode);
 
-                    IHierarchicalContent content = contentProvider.asContent(dataSetCode);
-                    IHierarchicalContentNode node = content.getNode(filePath);
-
-                    if (node.isDirectory() && downloadOptions.isRecursive())
+                    if (authorizationStatus.isOK())
                     {
-                        for (IHierarchicalContentNode child : iterate(node))
+                        String filePath = filePermId.getFilePath();
+
+                        IHierarchicalContent content = contentProvider.asContent(dataSetCode);
+                        IHierarchicalContentNode node = content.getNode(filePath);
+
+                        if (node.isDirectory() && downloadOptions.isRecursive())
                         {
-                            contentNodes.put(child, dataSetCode);
+                            for (IHierarchicalContentNode child : iterate(node))
+                            {
+                                contentNodes.put(child, dataSetCode);
+                            }
+                        } else
+                        {
+                            contentNodes.put(node, dataSetCode);
                         }
-                    } else
-                    {
-                        contentNodes.put(node, dataSetCode);
                     }
-
                 } else
                 {
                     throw new IllegalArgumentException("Unsupported dataSetId: " + fileId);
diff --git a/datastore_server/sourceTest/java/ch/ethz/sis/openbis/generic/dss/systemtest/api/v3/DownloadFileTest.java b/datastore_server/sourceTest/java/ch/ethz/sis/openbis/generic/dss/systemtest/api/v3/DownloadFileTest.java
index 6e479a48915d8664c844aa1ea528ca389910f554..844d018ae2e25c54d616d3de5903e226a282e12f 100644
--- a/datastore_server/sourceTest/java/ch/ethz/sis/openbis/generic/dss/systemtest/api/v3/DownloadFileTest.java
+++ b/datastore_server/sourceTest/java/ch/ethz/sis/openbis/generic/dss/systemtest/api/v3/DownloadFileTest.java
@@ -19,6 +19,19 @@ import ch.ethz.sis.openbis.generic.dssapi.v3.dto.datasetfile.id.IDataSetFileId;
 public class DownloadFileTest extends AbstractFileTest
 {
 
+    @Test
+    public void testDownloadUnauthorized()
+    {
+        String spaceSessionToken = gis.tryToAuthenticateForAllServices("test_space", "password");
+
+        InputStream stream = dss.downloadFiles(spaceSessionToken, Arrays.asList(new DataSetFilePermId(new DataSetPermId(dataSetCode))),
+                new DataSetFileDownloadOptions());
+
+        DataSetFileDownloadReader reader = new DataSetFileDownloadReader(stream);
+
+        assertNull(reader.read());
+    }
+
     @Test
     public void testDownloadAllFiles() throws Exception
     {
@@ -128,8 +141,7 @@ public class DownloadFileTest extends AbstractFileTest
         assertEquals(getContent(download2.getDataSetFile().getPath()).length(), download2.getDataSetFile().getFileLength());
     }
 
-    private Map<String, String> download(@SuppressWarnings("hiding")
-    List<IDataSetFileId> files, DataSetFileDownloadOptions options)
+    private Map<String, String> download(@SuppressWarnings("hiding") List<IDataSetFileId> files, DataSetFileDownloadOptions options)
     {
         try
         {