diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsAuthUserProvider.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsAuthUserProvider.java
index aa39abb..ddf46f4 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsAuthUserProvider.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/LfsAuthUserProvider.java
@@ -28,7 +28,7 @@
 import com.google.inject.Singleton;
 
 @Singleton
-class LfsAuthUserProvider {
+public class LfsAuthUserProvider {
   private static final String BASIC_AUTH_PREFIX = "Basic ";
 
   private final Provider<AnonymousUser> anonymous;
@@ -51,7 +51,7 @@
     this.userFactory = userFactory;
   }
 
-  CurrentUser getUser(String auth, String project, String operation) {
+  public CurrentUser getUser(String auth, String project, String operation) {
     if (!Strings.isNullOrEmpty(auth)) {
       if (auth.startsWith(BASIC_AUTH_PREFIX)) {
         return user.get();
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java
index 4314f77..c08d937 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsGetLocksAction.java
@@ -19,13 +19,19 @@
 
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
+import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.project.ProjectCache;
+import com.google.gerrit.server.project.ProjectControl;
+import com.google.gerrit.server.project.ProjectState;
 import com.google.inject.Inject;
 import com.google.inject.assistedinject.Assisted;
+import com.googlesource.gerrit.plugins.lfs.LfsAuthUserProvider;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.eclipse.jgit.lfs.errors.LfsException;
+import org.eclipse.jgit.lfs.errors.LfsUnauthorized;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -38,23 +44,37 @@
   private static final Logger log = LoggerFactory.getLogger(LfsGetLocksAction.class);
 
   @Inject
-  LfsGetLocksAction(@Assisted LfsLocksContext context) {
-    super(context);
+  LfsGetLocksAction(
+      ProjectCache projectCache,
+      LfsAuthUserProvider userProvider,
+      @Assisted LfsLocksContext context) {
+    super(projectCache, userProvider, context);
   }
 
   @Override
-  protected void doRun() throws LfsException, IOException {
+  protected String getProjectName() throws LfsException {
     Matcher matcher = LFS_LOCKS_URL_PATTERN.matcher(context.path);
     if (matcher.matches()) {
-      String project = matcher.group(1);
-      listLocks(project);
+      return matcher.group(1);
     }
 
     throw new LfsException("no repository at " + context.path);
   }
 
-  private void listLocks(String project) throws IOException {
-    log.debug("Get list of locks for {} project", project);
+  @Override
+  protected void authorizeUser(ProjectControl control) throws LfsUnauthorized {
+    if (!control.isReadable()) {
+      throwUnauthorizedOp("list locks", control);
+    }
+  }
+
+  @Override
+  protected void doRun(ProjectState project, CurrentUser user) throws LfsException, IOException {
+    listLocks(project);
+  }
+
+  private void listLocks(ProjectState project) throws IOException {
+    log.debug("Get list of locks for {} project", project.getProject().getName());
     //TODO method stub for getting project's locks list
 
     // stub for searching lock by path
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsLocksAction.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsLocksAction.java
index 1408348..4384c6d 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsLocksAction.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsLocksAction.java
@@ -14,37 +14,101 @@
 
 package com.googlesource.gerrit.plugins.lfs.locks;
 
+import static com.google.gerrit.extensions.client.ProjectState.HIDDEN;
 import static org.apache.http.HttpStatus.SC_INTERNAL_SERVER_ERROR;
+import static org.apache.http.HttpStatus.SC_NOT_FOUND;
+import static org.apache.http.HttpStatus.SC_UNAUTHORIZED;
+import static org.eclipse.jgit.util.HttpSupport.HDR_AUTHORIZATION;
 
+import com.google.common.base.Strings;
+import com.google.gerrit.common.ProjectUtil;
+import com.google.gerrit.reviewdb.client.Project;
+import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.project.ProjectCache;
+import com.google.gerrit.server.project.ProjectControl;
+import com.google.gerrit.server.project.ProjectState;
+import com.googlesource.gerrit.plugins.lfs.LfsAuthUserProvider;
 import java.io.IOException;
 import org.eclipse.jgit.lfs.errors.LfsException;
+import org.eclipse.jgit.lfs.errors.LfsRepositoryNotFound;
+import org.eclipse.jgit.lfs.errors.LfsUnauthorized;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.joda.time.format.DateTimeFormatter;
 import org.joda.time.format.ISODateTimeFormat;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 abstract class LfsLocksAction {
   interface Factory<T extends LfsLocksAction> {
     T create(LfsLocksContext context);
   }
 
+  private static final Logger log = LoggerFactory.getLogger(LfsLocksAction.class);
   private static final DateTimeFormatter ISO = ISODateTimeFormat.dateTime();
+  /** Git LFS client uses 'upload' operation to authorize SSH Lock requests */
+  private static final String LFS_LOCKING_OPERATION = "upload";
 
+  protected final ProjectCache projectCache;
+  protected final LfsAuthUserProvider userProvider;
   protected final LfsLocksContext context;
 
-  protected LfsLocksAction(LfsLocksContext context) {
+  protected LfsLocksAction(
+      ProjectCache projectCache, LfsAuthUserProvider userProvider, LfsLocksContext context) {
+    this.projectCache = projectCache;
+    this.userProvider = userProvider;
     this.context = context;
   }
 
   public void run() throws IOException {
     try {
-      doRun();
+      String name = getProjectName();
+      ProjectState project = getProject(name);
+      CurrentUser user = getUser(name);
+      ProjectControl control = project.controlFor(user);
+      authorizeUser(control);
+      doRun(project, user);
+    } catch (LfsUnauthorized e) {
+      context.sendError(SC_UNAUTHORIZED, e.getMessage());
+    } catch (LfsRepositoryNotFound e) {
+      context.sendError(SC_NOT_FOUND, e.getMessage());
     } catch (LfsException e) {
       context.sendError(SC_INTERNAL_SERVER_ERROR, e.getMessage());
     }
   }
 
-  protected abstract void doRun() throws LfsException, IOException;
+  protected abstract String getProjectName() throws LfsException;
+
+  protected abstract void authorizeUser(ProjectControl control) throws LfsUnauthorized;
+
+  protected abstract void doRun(ProjectState project, CurrentUser user)
+      throws LfsException, IOException;
+
+  protected ProjectState getProject(String name) throws LfsRepositoryNotFound {
+    Project.NameKey project = Project.NameKey.parse(ProjectUtil.stripGitSuffix(name));
+    ProjectState state = projectCache.get(project);
+    if (state == null || state.getProject().getState() == HIDDEN) {
+      throw new LfsRepositoryNotFound(project.get());
+    }
+    return state;
+  }
+
+  protected CurrentUser getUser(String project) {
+    return userProvider.getUser(
+        context.getHeader(HDR_AUTHORIZATION), project, LFS_LOCKING_OPERATION);
+  }
+
+  protected void throwUnauthorizedOp(String op, ProjectControl control) throws LfsUnauthorized {
+    String project = control.getProject().getName();
+    String userName =
+        Strings.isNullOrEmpty(control.getUser().getUserName())
+            ? "anonymous"
+            : control.getUser().getUserName();
+    log.debug(
+        String.format(
+            "operation %s unauthorized for user %s on project %s", op, userName, project));
+    throw new LfsUnauthorized(op, project);
+  }
 
   protected String now() {
     return ISO.print(DateTime.now().toDateTime(DateTimeZone.UTC));
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsLocksContext.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsLocksContext.java
index 309c252..c58b6a7 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsLocksContext.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsLocksContext.java
@@ -78,6 +78,10 @@
     setLfsResponseType();
   }
 
+  String getHeader(String name) {
+    return req.getHeader(name);
+  }
+
   String getParam(String name) {
     return req.getParameter(name);
   }
diff --git a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsPutLocksAction.java b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsPutLocksAction.java
index c26a75c..e2e28f8 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsPutLocksAction.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/lfs/locks/LfsPutLocksAction.java
@@ -19,13 +19,20 @@
 import static com.googlesource.gerrit.plugins.lfs.locks.LfsGetLocksAction.LFS_LOCKS_URL_PATTERN;
 
 import com.google.common.base.Strings;
+import com.google.gerrit.common.data.Capable;
+import com.google.gerrit.server.CurrentUser;
+import com.google.gerrit.server.project.ProjectCache;
+import com.google.gerrit.server.project.ProjectControl;
+import com.google.gerrit.server.project.ProjectState;
 import com.google.inject.Inject;
 import com.google.inject.assistedinject.Assisted;
+import com.googlesource.gerrit.plugins.lfs.LfsAuthUserProvider;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.eclipse.jgit.lfs.errors.LfsException;
+import org.eclipse.jgit.lfs.errors.LfsUnauthorized;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -36,69 +43,122 @@
   private static final Pattern LFS_VERIFICATION_URL_PATTERN =
       Pattern.compile(String.format(LFS_URL_REGEX_TEMPLATE, LFS_VERIFICATION_PATH));
 
+  protected LockAction action;
+
   @Inject
-  LfsPutLocksAction(@Assisted LfsLocksContext context) {
-    super(context);
+  LfsPutLocksAction(
+      ProjectCache projectCache,
+      LfsAuthUserProvider userProvider,
+      @Assisted LfsLocksContext context) {
+    super(projectCache, userProvider, context);
   }
 
   @Override
-  protected void doRun() throws LfsException, IOException {
+  protected String getProjectName() throws LfsException {
     Matcher matcher = LFS_LOCKS_URL_PATTERN.matcher(context.path);
     if (matcher.matches()) {
       String project = matcher.group(1);
       String lockId = matcher.group(2);
       if (Strings.isNullOrEmpty(lockId)) {
-        createLock(project, context);
+        action = new CreateLock();
       } else {
-        deleteLock(project, lockId, context);
+        action = new DeleteLock(lockId);
       }
-      return;
+      return project;
     }
 
     matcher = LFS_VERIFICATION_URL_PATTERN.matcher(context.path);
     if (matcher.matches()) {
-      verifyLocks(matcher.group(1), context);
-      return;
+      action = new VerifyLock();
+      return matcher.group(1);
     }
 
     throw new LfsException(String.format("Unsupported path %s was provided", context.path));
   }
 
-  private void verifyLocks(String project, LfsLocksContext action) throws IOException {
-    log.debug("Verify list of locks for {} project", project);
-    //TODO method stub for verifying locks
-    action.sendResponse(
-        new LfsVerifyLocksResponse(Collections.emptyList(), Collections.emptyList(), null));
+  @Override
+  protected void authorizeUser(ProjectControl control) throws LfsUnauthorized {
+    // all operations require push permission
+    if (Capable.OK != control.canPushToAtLeastOneRef()) {
+      throwUnauthorizedOp(action.getName(), control);
+    }
   }
 
-  private void deleteLock(String project, String lockId, LfsLocksContext action)
-      throws IOException {
-    LfsDeleteLockInput input = action.input(LfsDeleteLockInput.class);
-    log.debug(
-        "Delete (-f {}) lock for {} in project {}",
-        Boolean.TRUE.equals(input.force),
-        lockId,
-        project);
-    //TODO: this is just the method stub for lock deletion
-    LfsLock lock =
-        new LfsLock(
-            "random_id",
-            "some/path/to/file",
-            now(),
-            new LfsLockOwner("Lock Owner <lock_owner@example.com>"));
-    action.sendResponse(lock);
+  @Override
+  protected void doRun(ProjectState project, CurrentUser user) throws LfsException, IOException {
+    action.run(project, user);
   }
 
-  private void createLock(String project, LfsLocksContext action) throws IOException {
-    LfsCreateLockInput input = action.input(LfsCreateLockInput.class);
-    log.debug("Create lock for {} in project {}", input.path, project);
-    //TODO: this is just the method stub lock creation
-    LfsLock lock =
-        new LfsLock(
-            "random_id",
-            input.path,
-            now(),
-            new LfsLockOwner("Lock Owner <lock_owner@example.com>"));
-    action.sendResponse(lock);
+  private interface LockAction {
+    String getName();
+
+    void run(ProjectState project, CurrentUser user) throws LfsException, IOException;
+  }
+
+  private class CreateLock implements LockAction {
+    @Override
+    public String getName() {
+      return "create lock";
+    }
+
+    @Override
+    public void run(ProjectState project, CurrentUser user) throws LfsException, IOException {
+      LfsCreateLockInput input = context.input(LfsCreateLockInput.class);
+      log.debug("Create lock for {} in project {}", input.path, project);
+      //TODO: this is just the method stub lock creation
+      LfsLock lock =
+          new LfsLock(
+              "random_id",
+              input.path,
+              now(),
+              new LfsLockOwner("Lock Owner <lock_owner@example.com>"));
+      context.sendResponse(lock);
+    }
+  }
+
+  private class DeleteLock implements LockAction {
+    private final String lockId;
+
+    private DeleteLock(String lockId) {
+      this.lockId = lockId;
+    }
+
+    @Override
+    public String getName() {
+      return "delete lock";
+    }
+
+    @Override
+    public void run(ProjectState project, CurrentUser user) throws LfsException, IOException {
+      LfsDeleteLockInput input = context.input(LfsDeleteLockInput.class);
+      log.debug(
+          "Delete (-f {}) lock for {} in project {}",
+          Boolean.TRUE.equals(input.force),
+          lockId,
+          project);
+      //TODO: this is just the method stub for lock deletion
+      LfsLock lock =
+          new LfsLock(
+              lockId,
+              "some/path/to/file",
+              now(),
+              new LfsLockOwner("Lock Owner <lock_owner@example.com>"));
+      context.sendResponse(lock);
+    }
+  }
+
+  private class VerifyLock implements LockAction {
+    @Override
+    public String getName() {
+      return "verify lock";
+    }
+
+    @Override
+    public void run(ProjectState project, CurrentUser user) throws LfsException, IOException {
+      log.debug("Verify list of locks for {} project", project);
+      //TODO method stub for verifying locks
+      context.sendResponse(
+          new LfsVerifyLocksResponse(Collections.emptyList(), Collections.emptyList(), null));
+    }
   }
 }