diff --git a/endpoints/registry.py b/endpoints/registry.py
index 7bad8c843..ee3a6193f 100644
--- a/endpoints/registry.py
+++ b/endpoints/registry.py
@@ -12,6 +12,8 @@ import storage
 from app import app
 from auth.auth import process_auth, extract_namespace_repo_from_session
 from util import checksums
+from auth.permissions import (ReadRepositoryPermission,
+                              ModifyRepositoryPermission)
 
 
 store = storage.load()
@@ -76,6 +78,10 @@ def set_cache_headers(f):
 @require_completion
 @set_cache_headers
 def get_image_layer(namespace, repository, image_id, headers):
+  permission = ReadRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
   try:
     return Response(store.stream_read(store.image_layer_path(
       namespace, repository, image_id)), headers=headers)
@@ -87,6 +93,10 @@ def get_image_layer(namespace, repository, image_id, headers):
 @process_auth
 @extract_namespace_repo_from_session
 def put_image_layer(namespace, repository, image_id):
+  permission = ModifyRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
   try:
     json_data = store.get_content(store.image_json_path(namespace, repository,
                                                         image_id))
@@ -139,6 +149,10 @@ def put_image_layer(namespace, repository, image_id):
 @process_auth
 @extract_namespace_repo_from_session
 def put_image_checksum(namespace, repository, image_id):
+  permission = ModifyRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
   checksum = request.headers.get('X-Docker-Checksum')
   if not checksum:
     abort(400)  #'Missing Image\'s checksum')
@@ -166,6 +180,10 @@ def put_image_checksum(namespace, repository, image_id):
 @require_completion
 @set_cache_headers
 def get_image_json(namespace, repository, image_id, headers):
+  permission = ReadRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
   try:
     data = store.get_content(store.image_json_path(namespace, repository,
                                                    image_id))
@@ -177,7 +195,7 @@ def get_image_json(namespace, repository, image_id, headers):
     headers['X-Docker-Size'] = str(size)
   except OSError:
     pass
-  checksum_path = store.image_checksum_path(image_id)
+  checksum_path = store.image_checksum_path(namespace, repository, image_id)
   if store.exists(checksum_path):
     headers['X-Docker-Checksum'] = store.get_content(checksum_path)
   response = make_response(data, 200)
@@ -191,6 +209,10 @@ def get_image_json(namespace, repository, image_id, headers):
 @require_completion
 @set_cache_headers
 def get_image_ancestry(namespace, repository, image_id, headers):
+  permission = ReadRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
   try:
     data = store.get_content(store.image_ancestry_path(namespace, repository,
                                                        image_id))
@@ -229,6 +251,10 @@ def store_checksum(namespace, repository, image_id, checksum):
 @process_auth
 @extract_namespace_repo_from_session
 def put_image_json(namespace, repository, image_id):
+  permission = ModifyRepositoryPermission(namespace, repository)
+  if not permission.can():
+    abort(403)
+
   try:
     data = json.loads(request.data)
   except json.JSONDecodeError: