diff --git a/DocService/package.json b/DocService/package.json
index 08acfed1..8869f882 100644
--- a/DocService/package.json
+++ b/DocService/package.json
@@ -9,6 +9,7 @@
     "co": "^4.6.0",
     "config": "^1.21.0",
     "cron": "^1.1.0",
+    "deep-equal": "^1.0.1",
     "express": "^4.14.0",
     "fakeredis": "^1.0.3",
     "jsonwebtoken": "^7.1.9",
diff --git a/DocService/sources/DocsCoServer.js b/DocService/sources/DocsCoServer.js
index 938f5526..8a80637a 100644
--- a/DocService/sources/DocsCoServer.js
+++ b/DocService/sources/DocsCoServer.js
@@ -85,6 +85,7 @@ const co = require('co');
 const jwt = require('jsonwebtoken');
 const jwa = require('jwa');
 const ms = require('ms');
+const deepEqual  = require('deep-equal');
 const storage = require('./../../Common/sources/storage-base');
 const logger = require('./../../Common/sources/logger');
 const constants = require('./../../Common/sources/constants');
@@ -1654,12 +1655,14 @@ exports.install = function(server, callbackFunction) {
   function isEditMode(permissions, mode, def) {
     if (permissions && mode) {
       //as in web-apps/apps/documenteditor/main/app/controller/Main.js
-      return (permissions.edit !== false || permissions.review === true) && mode !== 'view';
+      return ((permissions.edit !== false || permissions.review === true) && mode !== 'view') ||
+        permissions.comment === true;
     } else {
       return def;
     }
   }
   function fillDataFromJwt(decoded, data) {
+    let res = true;
     var openCmd = data.openCmd;
     if (decoded.document) {
       var doc = decoded.document;
@@ -1670,6 +1673,7 @@ exports.install = function(server, callbackFunction) {
         }
       }
       if(doc.permissions) {
+        res = deepEqual(data.permissions, doc.permissions, {strict: true});
         if(!data.permissions){
           data.permissions = {};
         }
@@ -1729,6 +1733,7 @@ exports.install = function(server, callbackFunction) {
     if (decoded.iss) {
       data.iss = decoded.iss;
     }
+    return res;
   }
   function fillVersionHistoryFromJwt(decoded, cmd) {
     if (decoded.changesUrl && decoded.previous && (cmd.getServerVersion() === commonDefines.buildVersion)) {
@@ -1779,7 +1784,11 @@ exports.install = function(server, callbackFunction) {
         const isSession = !!data.jwtSession;
         const checkJwtRes = checkJwt(docId, data.jwtSession || data.jwtOpen, isSession);
         if (checkJwtRes.decoded) {
-          fillDataFromJwt(checkJwtRes.decoded, data);
+          if (!fillDataFromJwt(checkJwtRes.decoded, data)) {
+            logger.warn("fillDataFromJwt return false: docId = %s", docId);
+            conn.close(constants.ACCESS_DENIED_CODE, constants.ACCESS_DENIED_REASON);
+            return;
+          }
         } else {
           conn.close(checkJwtRes.code, checkJwtRes.description);
           return;