diff --git a/django_ckeditor_5/views.py b/django_ckeditor_5/views.py index e34aca2..61c440c 100644 --- a/django_ckeditor_5/views.py +++ b/django_ckeditor_5/views.py @@ -72,11 +72,10 @@ def handle_uploaded_file(user, f): def upload_file(request): - # Allow admins and initiators to upload files - # FIXME: implement a proper permission method which can be provided via the settings - if ( - request.method == "POST" and - (request.user.is_staff or request.user.organisation_set.exists())): + if request.method == "POST": + if not getattr(settings, "CKEDITOR_5_UNRESTRICTED_UPLOADS", False): + if not request.user.is_staff: + raise Http404(_("Page not found.")) form = UploadFileForm(request.POST, request.FILES) allow_all_file_types = getattr(settings, "CKEDITOR_5_ALLOW_ALL_FILE_TYPES", False)