diff --git a/httpd/api_http_user.go b/httpd/api_http_user.go
index eac3b2ed..c9a753b4 100644
--- a/httpd/api_http_user.go
+++ b/httpd/api_http_user.go
@@ -96,6 +96,7 @@ func createUserDir(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
+	connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
 	err = connection.CreateDir(name, true)
 	if err != nil {
 		sendAPIResponse(w, r, err, fmt.Sprintf("Unable to create directory %#v", name), getMappedStatusCode(err))
@@ -225,6 +226,7 @@ func uploadUserFile(w http.ResponseWriter, r *http.Request) {
 }
 
 func doUploadFile(w http.ResponseWriter, r *http.Request, connection *Connection, filePath string) error {
+	connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
 	writer, err := connection.getFileWriter(filePath)
 	if err != nil {
 		sendAPIResponse(w, r, err, fmt.Sprintf("Unable to write file %#v", filePath), getMappedStatusCode(err))
@@ -294,6 +296,7 @@ func uploadUserFiles(w http.ResponseWriter, r *http.Request) {
 func doUploadFiles(w http.ResponseWriter, r *http.Request, connection *Connection, parentDir string,
 	files []*multipart.FileHeader,
 ) int {
+	connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
 	uploaded := 0
 	connection.User.UploadBandwidth = 0
 	for _, f := range files {
diff --git a/httpd/api_utils.go b/httpd/api_utils.go
index 48340c8e..d2e9377d 100644
--- a/httpd/api_utils.go
+++ b/httpd/api_utils.go
@@ -232,6 +232,7 @@ func getCompressedFileName(username string, files []string) string {
 func renderCompressedFiles(w http.ResponseWriter, conn *Connection, baseDir string, files []string,
 	share *dataprovider.Share,
 ) {
+	conn.User.CheckFsRoot(conn.ID) //nolint:errcheck
 	w.Header().Set("Content-Type", "application/zip")
 	w.Header().Set("Accept-Ranges", "none")
 	w.Header().Set("Content-Transfer-Encoding", "binary")
@@ -326,6 +327,7 @@ func checkDownloadFileFromShare(share *dataprovider.Share, info os.FileInfo) err
 func downloadFile(w http.ResponseWriter, r *http.Request, connection *Connection, name string,
 	info os.FileInfo, inline bool, share *dataprovider.Share,
 ) (int, error) {
+	connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
 	err := checkDownloadFileFromShare(share, info)
 	if err != nil {
 		return http.StatusBadRequest, err
diff --git a/httpd/webclient.go b/httpd/webclient.go
index bdc3b872..6839f694 100644
--- a/httpd/webclient.go
+++ b/httpd/webclient.go
@@ -954,6 +954,7 @@ func (s *httpdServer) handleClientEditFile(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
+	connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
 	reader, err := connection.getFileReader(name, 0, r.Method)
 	if err != nil {
 		s.renderClientMessagePage(w, r, fmt.Sprintf("Unable to get a reader for the file %#v", name), "",