diff --git a/src/upload.ts b/src/upload.ts
index 5718dcf..9b731e8 100644
--- a/src/upload.ts
+++ b/src/upload.ts
@@ -3,14 +3,18 @@ import * as fs from 'fs';
 const StreamZip = require('node-stream-zip');
 
 import { parseSM } from './lib/smparse';
-import { File } from './schema';
+import { File, User } from './schema';
 
 export function run(app) {
 	const logger = app.get('logger');
 	
 	app.post('/api/upload', async (req, res) => { // only for testing, very abusable
 		if (!req.files) return res.status(400).send('No files were given');
-		if (!req.session.uuid) return res.status(401).send('Not authorized');
+		if (!req.session.uuid) return res.status(401).send('Not authorized, use /discordauth');
+
+		const user = (await User.find({uuid: req.session.uuid}))[0];
+		if (!user) return res.status(401).send('User doesn\'t exist, try re-logging in');
+		if (!user.get('approvedUpload')) return res.status(403).send('Your account is not allowed to upload files! Contact a moderator to verify your account');
 		
 		const file = req.files.file;