DirectUploadsController only accepts confirmed users

app/controllers/concerns/controllers/user/authorization.rb

@@ -39,11 +39,15 @@ module Controllers::User::Authorization
       QueryRoles.user_has_role?(current_user.id, role_names, host_id)
     end
 
-    def authenticate_confirmed_user!
+    def authenticate_confirmed_user!(msg=nil, type= :html)
       if !current_user
-        reject_with_sign_in
+        reject_with_sign_in(msg, type)
       elsif !current_user.confirmed? && !current_role?(%i[super_associate super_admin])
+        if type == :html
           redirect_to new_user_confirmation_path, flash: { error: 'You need to confirm your account to do that.' }
+        else
+          render json: {message:msg}, status: :unauthorized
+        end
       end
     end
   

app/controllers/direct_uploads_controller.rb

@@ -1,10 +1,14 @@
 # frozen_string_literal: true
 
-#
+# License: AGPL-3.0-or-later WITH WTO-AP-3.0-or-later
+# Full license explanation at https://github.com/houdiniproject/houdini/blob/master/LICENSE
 class DirectUploadsController < ActiveStorage::DirectUploadsController
 	include Controllers::Nonprofit::Authorization
 	skip_before_action :verify_authenticity_token, only: [:create]
-	before_action  do
-		authenticate_user!("You must be logged in to use this", :json)
+	before_action  :authenticate_user_with_json!
+
+private
+	def authenticate_confirmed_user_with_json!
+		authenticate_confirmed_user!("You must be logged in to use this", :json)
 	end
 end