diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index 567a7db26b..01a4bd5fc1 100755
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -1534,6 +1534,8 @@ def POST_share(self, shareform, jquery, emails, thing, share_from, reply_to,
             pass
         elif shareform.has_errors("ratelimit", errors.RATELIMIT):
             pass
+        elif not sr.can_view(c.user):
+            return abort(403, 'forbidden')
         else:
             emails, users = emails
             c.user.add_share_emails(emails)