diff --git a/BrainPortal/app/controllers/userfiles_controller.rb b/BrainPortal/app/controllers/userfiles_controller.rb
index 49ec78f2f..dcb16dfaa 100644
--- a/BrainPortal/app/controllers/userfiles_controller.rb
+++ b/BrainPortal/app/controllers/userfiles_controller.rb
@@ -538,7 +538,10 @@ def create #:nodoc:
     rack_tempfile_size = upload_stream.tempfile.size
 
     # Get the data provider for the destination files.
-    data_provider_id   = params[:data_provider_id]
+    data_provider_id = params[:data_provider_id]
+
+    # Verify that the DP is accessible to the user - this will raise an exception otherwise
+    DataProvider.find_accessible_by_user(data_provider_id, current_user)
 
     # Where we'll keep a copy in the spawn() below
     tmpcontentfile     = "/tmp/#{Process.pid}-#{rand(10000).to_s}-#{basename}" # basename's extension is used later on
diff --git a/BrainPortal/spec/controllers/userfiles_controller_spec.rb b/BrainPortal/spec/controllers/userfiles_controller_spec.rb
index 7db478e29..f0ec1abe7 100644
--- a/BrainPortal/spec/controllers/userfiles_controller_spec.rb
+++ b/BrainPortal/spec/controllers/userfiles_controller_spec.rb
@@ -263,10 +263,11 @@ class << file; attr_reader :tempfile; end
 
       before(:each) do
         session[:session_id] = 'session_id'
-        allow(controller).to receive(:current_user).and_return(admin)
-        allow(Message).to    receive(:send_message)
-        allow(File).to       receive(:delete)
-        allow(controller).to receive(:system)
+        allow(controller).to   receive(:current_user).and_return(admin)
+        allow(Message).to      receive(:send_message)
+        allow(File).to         receive(:delete)
+        allow(controller).to   receive(:system)
+        allow(DataProvider).to receive(:find_accessible_by_user).and_return(data_provider)
       end
 
       it "should redirect to index if the upload file is blank" do
@@ -300,7 +301,7 @@ class << file; attr_reader :tempfile; end
           end
 
           it "should display an error message" do
-            post :create, params: { :upload_file => mock_upload_stream, :archive => "save", userfile: userfile}
+            post :create, params: { :upload_file => mock_upload_stream, :archive => "save", userfile: userfile, :data_provider_id => data_provider.id}
             expect(flash[:error]).to match(/File .+ could not be added./)
           end
         end
@@ -327,7 +328,7 @@ class << file; attr_reader :tempfile; end
 
             it "should copy the file to the local cache" do
               expect(mock_userfile).to receive(:cache_copy_from_local_file)
-              post :create, params: {:upload_file => mock_upload_stream, :archive => "save", userfile: userfile}
+              post :create, params: {:upload_file => mock_upload_stream, :archive => "save", userfile: userfile, :data_provider_id => data_provider.id}
             end
           end