diff --git a/routers/api/v1/repo/attachments.go b/routers/api/v1/repo/attachments.go
index cb36ba2ee..7db8c9067 100644
--- a/routers/api/v1/repo/attachments.go
+++ b/routers/api/v1/repo/attachments.go
@@ -1,22 +1,67 @@
 package repo
 
 import (
+	"net/http"
+
+	"code.gitea.io/gitea/modules/log"
+
+	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/context"
 	routeRepo "code.gitea.io/gitea/routers/repo"
 )
 
 func GetSuccessChunks(ctx *context.APIContext) {
+	if errStr := checkDatasetPermission(ctx); errStr != "" {
+		ctx.JSON(http.StatusForbidden, ctx.Tr(errStr))
+	}
+
 	routeRepo.GetSuccessChunks(ctx.Context)
 }
 
+func checkDatasetPermission(ctx *context.APIContext) string {
+	datasetId := ctx.QueryInt64("dataset_id")
+
+	dataset, err := models.GetDatasetByID(datasetId)
+	if err != nil {
+		log.Warn("can not find dataset", err)
+
+		return "dataset.query_dataset_fail"
+	}
+	repo, err := models.GetRepositoryByID(dataset.RepoID)
+	if err != nil {
+		log.Warn("can not find repo", err)
+		return "dataset.query_dataset_fail"
+	}
+
+	permission, err := models.GetUserRepoPermission(repo, ctx.User)
+	if err != nil {
+		log.Warn("can not find repo permission for user", err)
+		return "dataset.query_dataset_fail"
+	}
+	if !permission.CanWrite(models.UnitTypeDatasets) {
+
+		return "error.no_right"
+	}
+	return ""
+}
+
 func NewMultipart(ctx *context.APIContext) {
+	if errStr := checkDatasetPermission(ctx); errStr != "" {
+		ctx.JSON(http.StatusForbidden, ctx.Tr(errStr))
+	}
 	routeRepo.NewMultipart(ctx.Context)
 }
 func GetMultipartUploadUrl(ctx *context.APIContext) {
+	if errStr := checkDatasetPermission(ctx); errStr != "" {
+		ctx.JSON(http.StatusForbidden, ctx.Tr(errStr))
+	}
 	routeRepo.GetMultipartUploadUrl(ctx.Context)
 }
 
 func CompleteMultipart(ctx *context.APIContext) {
+	if errStr := checkDatasetPermission(ctx); errStr != "" {
+		ctx.JSON(http.StatusForbidden, ctx.Tr(errStr))
+	}
 	routeRepo.CompleteMultipart(ctx.Context)
 
 }