diff --git a/config.sample.js b/config.sample.js
index 6deae62..43ff04a 100644
--- a/config.sample.js
+++ b/config.sample.js
@@ -7,6 +7,14 @@ module.exports = {
   */
   private: true,
 
+  /*
+    If set, only the specified group AND any groups higher than it
+    will be allowed to upload new files.
+    Any other groups, assuming registered, will still be able to manage their previously uploaded files.
+  */
+  privateUploadGroup: null, // Other group names in controllers/permissionController.js
+  privateUploadCustomRespond: null,
+
   /*
     If true, users will be able to create accounts and access their uploaded files.
   */
@@ -283,26 +291,26 @@ module.exports = {
     urlProxy: 'https://proxy.duckduckgo.com/iu/?u={url}',
 
     /*
-     Disclaimer message that will be printed underneath the URL uploads form.
-     Supports HTML. Be safe though.
+      Disclaimer message that will be printed underneath the URL uploads form.
+      Supports HTML. Be safe though.
     */
     urlDisclaimerMessage: 'URL uploads are being proxied by <a href="https://duckduckgo.com/" target="_blank" rel="noopener">DuckDuckGo</a>.',
 
     /*
-     Filter mode for URL uploads.
-     Can be 'blacklist', 'whitelist', or 'inherit'.
-     'inherit' => inherit primary extensions filter (extensionsFilter option).
-     The rest are paired with urlExtensionsFilter option below and should be self-explanatory.
-     When this is not set to any of the 3 values, this will fallback to 'inherit'.
+      Filter mode for URL uploads.
+      Can be 'blacklist', 'whitelist', or 'inherit'.
+      'inherit' => inherit primary extensions filter (extensionsFilter option).
+      The rest are paired with urlExtensionsFilter option below and should be self-explanatory.
+      When this is not set to any of the 3 values, this will fallback to 'inherit'.
     */
     urlExtensionsFilterMode: 'whitelist',
 
     /*
-     Mainly intended for URL proxies that only support certain extensions.
-     This will parse the extensions from the URLs, so URLs that do not end with
-     the file's extensions will always be rejected.
-     Queries and segments in the URLs will be bypassed.
-     NOTE: Can not be empty when using either 'blacklist' or 'whitelist' mode.
+      Mainly intended for URL proxies that only support certain extensions.
+      This will parse the extensions from the URLs, so URLs that do not end with
+      the file's extensions will always be rejected.
+      Queries and segments in the URLs will be bypassed.
+      NOTE: Can not be empty when using either 'blacklist' or 'whitelist' mode.
     */
     urlExtensionsFilter: [
       '.webp',
diff --git a/controllers/uploadController.js b/controllers/uploadController.js
index 35aaf71..6ba65ac 100644
--- a/controllers/uploadController.js
+++ b/controllers/uploadController.js
@@ -264,6 +264,12 @@ self.upload = async (req, res, next) => {
       user = await utils.assertUser(req.headers.token)
     }
 
+    if (config.privateUploadGroup) {
+      if (!user || !perms.is(user, config.privateUploadGroup)) {
+        throw new ClientError(config.privateUploadCustomRespond || 'Your usergroup is not permitted to upload new files.', { statusCode: 403 })
+      }
+    }
+
     let albumid = parseInt(req.headers.albumid || req.params.albumid)
     if (isNaN(albumid)) albumid = null