diff --git a/controller/share.go b/controller/share.go
index f3a244bf..b5dc286b 100644
--- a/controller/share.go
+++ b/controller/share.go
@@ -116,6 +116,17 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
 				logrus.Error(err)
 				return share.NewShareNotFound()
 			}
+			if sfe.PermissionMode == store.ClosedPermissionMode {
+				granted, err := str.IsFrontendGrantedToAccount(int(principal.ID), sfe.Id, trx)
+				if err != nil {
+					logrus.Error(err)
+					return share.NewShareInternalServerError()
+				}
+				if !granted {
+					logrus.Errorf("'%v' is not granted access to frontend '%v'", principal.Email, frontendSelection)
+					return share.NewShareNotFound()
+				}
+			}
 			if sfe != nil && sfe.UrlTemplate != nil {
 				frontendZIds = append(frontendZIds, sfe.ZId)
 				frontendTemplates = append(frontendTemplates, *sfe.UrlTemplate)
diff --git a/controller/store/frontendGrant.go b/controller/store/frontendGrant.go
new file mode 100644
index 00000000..d676653f
--- /dev/null
+++ b/controller/store/frontendGrant.go
@@ -0,0 +1,18 @@
+package store
+
+import (
+	"github.com/jmoiron/sqlx"
+	"github.com/pkg/errors"
+)
+
+func (str *Store) IsFrontendGrantedToAccount(acctId, frontendId int, trx *sqlx.Tx) (bool, error) {
+	stmt, err := trx.Prepare("select count(0) from frontend_grants where account_id = $1 AND frontend_id = $2")
+	if err != nil {
+		return false, errors.Wrap(err, "error preparing frontend_grants select statement")
+	}
+	var count int
+	if err := stmt.QueryRow(acctId, frontendId).Scan(&count); err != nil {
+		return false, errors.Wrap(err, "error querying frontend_grants count")
+	}
+	return count > 0, nil
+}