diff --git a/app/controllers/api/attachments_controller.rb b/app/controllers/api/attachments_controller.rb
index c81aa0f9..cfab8eaa 100644
--- a/app/controllers/api/attachments_controller.rb
+++ b/app/controllers/api/attachments_controller.rb
@@ -10,7 +10,7 @@ module Api
     def create
       submitter = Submitter.find_by!(slug: params[:submitter_slug])
 
-      unless can_upload?(submitter)
+      unless can_upload?(submitter) && authorized_for_form?(submitter)
         Rollbar.error("Can't upload: #{submitter.id}") if defined?(Rollbar)
 
         return render json: { error: I18n.t('form_has_been_archived') }, status: :unprocessable_content
@@ -46,6 +46,12 @@ module Api
       render json: { error: e.message }, status: :unprocessable_content
     end
 
+    private
+
+    def authorized_for_form?(submitter)
+      Submitters::AuthorizedForForm.call(submitter, nil, request)
+    end
+
     def can_upload?(submitter)
       !submitter.declined_at? &&
         !submitter.completed_at? &&