diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
index fa06d7f910..6215f6a5b7 100644
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@@ -209,6 +209,16 @@ middleware.requireUser = function(req, res, next) {
 	res.render('403', {title: '[[global:403.title]]'});
 };
 
+middleware.privateUploads = function(req, res, next) {
+	if (req.user || parseInt(meta.config.privateUploads, 10) !== 1) {
+		return next();
+	}
+	if (req.path.startsWith('/uploads/files')) {
+		return res.status(403).json('not-allowed');
+	}
+	next();
+};
+
 
 module.exports = function(webserver) {
 	app = webserver;
diff --git a/src/routes/index.js b/src/routes/index.js
index 93dc9aaedb..ed872f9835 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -4,7 +4,6 @@ var nconf = require('nconf'),
 	path = require('path'),
 	winston = require('winston'),
 	controllers = require('../controllers'),
-	meta = require('../meta'),
 	plugins = require('../plugins'),
 	express = require('express'),
 
@@ -118,15 +117,7 @@ module.exports = function(app, middleware) {
 		require('./debug')(app, middleware, controllers);
 	}
 
-	app.use(function(req, res, next) {
-		if (req.user || parseInt(meta.config.privateUploads, 10) !== 1) {
-			return next();
-		}
-		if (req.path.startsWith('/uploads/files')) {
-			return res.status(403).json('not-allowed');
-		}
-		next();
-	});
+	app.use(middleware.privateUploads);
 
 	app.use(relativePath, express.static(path.join(__dirname, '../../', 'public'), {
 		maxAge: app.enabled('cache') ? 5184000000 : 0