diff --git a/app/corpora/routes.py b/app/corpora/routes.py
index 4b10fa2c..8d2dd45f 100644
--- a/app/corpora/routes.py
+++ b/app/corpora/routes.py
@@ -7,15 +7,21 @@ from flask import (
     redirect,
     render_template,
     request,
-    send_from_directory,
-    url_for
+    send_from_directory
 )
 from flask_login import current_user, login_required
 from threading import Thread
 import jwt
 import os
 from app import db, hashids
-from app.models import Corpus, CorpusFile, CorpusStatus, User
+from app.models import (
+    Corpus,
+    CorpusFile,
+    CorpusFollowerAssociation,
+    CorpusFollowPermission,
+    CorpusStatus,
+    User
+)
 from . import bp
 from .forms import (
     CreateCorpusFileForm,
@@ -24,23 +30,6 @@ from .forms import (
 )
 
 
-# @bp.route('/share/<token>', methods=['GET', 'POST'])
-# def share_corpus(token):
-#     try:
-#         payload = jwt.decode(
-#             token,
-#             current_app.config['SECRET_KEY'],
-#             algorithms=['HS256'],
-#             issuer=current_app.config['SERVER_NAME'],
-#             options={'require': ['iat', 'iss', 'sub']}
-#         )
-#     except jwt.PyJWTError:
-#         return False
-#     corpus_hashid = payload.get('sub')
-#     corpus_id = hashids.decode(corpus_hashid)
-#     return redirect(url_for('.corpus', corpus_id=corpus_id))
-
-
 @bp.route('/<hashid:corpus_id>/enable_is_public', methods=['POST'])
 @login_required
 def enable_corpus_is_public(corpus_id):
@@ -63,24 +52,22 @@ def disable_corpus_is_public(corpus_id):
     return '', 204
 
 
-# @bp.route('/<hashid:corpus_id>/follow', methods=['GET', 'POST'])
+# @bp.route('/<hashid:corpus_id>/follow/<token>')
 # @login_required
-# def follow_corpus(corpus_id):
-#     corpus = Corpus.query.get_or_404(corpus_id)
-#     user_hashid = request.args.get('user_id')
-#     if user_hashid is None:
-#         user = current_user
-#     else:
-#         if not current_user.is_administrator():
-#             abort(403)
-#         else:
-#             user_id = hashids.decode(user_hashid)
-#             user = User.query.get_or_404(user_id)
-#     if not user.is_following_corpus(corpus):
-#         user.follow_corpus(corpus)
-#     db.session.commit()
-#     flash(f'You are following {corpus.title} now', category='corpus')
-#     return {}, 202
+# def follow_corpus(corpus_id, token):
+#     try:
+#         payload = jwt.decode(
+#             token,
+#             current_app.config['SECRET_KEY'],
+#             algorithms=['HS256'],
+#             issuer=current_app.config['SERVER_NAME'],
+#             options={'require': ['iat', 'iss', 'sub']}
+#         )
+#     except jwt.PyJWTError:
+#         return False
+#     corpus_hashid = payload.get('sub')
+#     corpus_id = hashids.decode(corpus_hashid)
+#     return redirect(url_for('.corpus', corpus_id=corpus_id))
 
 
 @bp.route('/<hashid:corpus_id>/unfollow', methods=['GET', 'POST'])
@@ -99,23 +86,35 @@ def unfollow_corpus(corpus_id):
         user.unfollow_corpus(corpus)
     db.session.commit()
     flash(f'You are not following {corpus.title} anymore', category='corpus')
-    return {}, 202
+    return '', 204
 
 
-# @bp.route('/add_permission/<hashid:corpus_id>/<hashid:user_id>/<int:permission>')
-# def add_permission(corpus_id, user_id, permission):
-#     a = CorpusFollowerAssociation.query.filter_by(followed_corpus_id=corpus_id, following_user_id=user_id).first_or_404()
-#     a.add_permission(permission)
-#     db.session.commit()
-#     return 'ok'
+@bp.route('/<hashid:corpus_id>/followers/<hashid:user_id>/permissions/add', methods=['POST'])
+def add_permission(corpus_id, user_id, permission):
+    corpus_follow_association = CorpusFollowerAssociation.query.filter_by(followed_corpus_id=corpus_id, following_user_id=user_id).first_or_404()
+    permission = request.args.get('permission', type=int)
+    corpus = corpus_follow_association.followed_corpus
+    if not (corpus.user == current_user or current_user.is_administrator()):
+        abort(403)
+    if permission is None or permission not in iter(CorpusFollowPermission):
+        abort(400)
+    corpus_follow_association.add_permission(permission)
+    db.session.commit()
+    return '', 204
 
 
-# @bp.route('/remove_permission/<hashid:corpus_id>/<hashid:user_id>/<int:permission>')
-# def remove_permission(corpus_id, user_id, permission):
-#     a = CorpusFollowerAssociation.query.filter_by(followed_corpus_id=corpus_id, following_user_id=user_id).first_or_404()
-#     a.remove_permission(permission)
-#     db.session.commit()
-#     return 'ok'
+@bp.route('/<hashid:corpus_id>/followers/<hashid:user_id>/permissions/remove', methods=['POST'])
+def remove_permission(corpus_id, user_id, permission):
+    corpus_follow_association = CorpusFollowerAssociation.query.filter_by(followed_corpus_id=corpus_id, following_user_id=user_id).first_or_404()
+    permission = request.args.get('permission')
+    corpus = corpus_follow_association.followed_corpus
+    if not (corpus.user == current_user or current_user.is_administrator()):
+        abort(403)
+    if permission is None or permission not in iter(CorpusFollowPermission):
+        abort(400)
+    corpus_follow_association.remove_permission(permission)
+    db.session.commit()
+    return '', 204
 
 
 @bp.route('/public')
diff --git a/app/static/js/Utils.js b/app/static/js/Utils.js
index aee382a0..e2ac84ab 100644
--- a/app/static/js/Utils.js
+++ b/app/static/js/Utils.js
@@ -69,6 +69,44 @@ class Utils {
     return Utils.mergeObjectsDeep(mergedObject, ...objects.slice(2));
   }
 
+  static addCorpusFollowerPermissionRequest(corpusId, followerId, permission) {
+    return new Promise((resolve, reject) => {
+      fetch(`/corpora/${corpusId}/followers/${followerId}/add_permission?permission=${permission}`, {method: 'POST', headers: {Accept: 'application/json'}})
+        .then(
+          (response) => {
+            if (response.status === 400) {app.flash('Bad Request', 'error'); reject(response);}
+            if (response.status === 403) {app.flash('Forbidden', 'error'); reject(response);}
+            if (response.status === 404) {app.flash('Not Found', 'error'); reject(response);}
+            app.flash(`Permission added`, 'corpus');
+            resolve(response);
+          },
+          (response) => {
+            app.flash('Something went wrong', 'error');
+            reject(response);
+          }
+        );
+    });
+  }
+
+  static removeCorpusFollowerPermissionRequest(corpusId, followerId, permission) {
+    return new Promise((resolve, reject) => {
+      fetch(`/corpora/${corpusId}/followers/${followerId}/remove_permission?permission=${permission}`, {method: 'POST', headers: {Accept: 'application/json'}})
+        .then(
+          (response) => {
+            if (response.status === 400) {app.flash('Bad Request', 'error'); reject(response);}
+            if (response.status === 403) {app.flash('Forbidden', 'error'); reject(response);}
+            if (response.status === 404) {app.flash('Not Found', 'error'); reject(response);}
+            app.flash(`Permission removed`, 'corpus');
+            resolve(response);
+          },
+          (response) => {
+            app.flash('Something went wrong', 'error');
+            reject(response);
+          }
+        );
+    });
+  }
+
   static enableCorpusIsPublicRequest(userId, corpusId) {
     return new Promise((resolve, reject) => {
       let corpus;