I guess you could also solve this using ContentEvents. In the CreatingContent-event, check if it's a file and then check permissions. Cancel creating, if user does not have upload permission.

That would also work as a place to put the check.    The tricky part is the permissions - I need to give them create  so they can create blocks and upload PDFs, but not be able to upload image.  As is with "create" they can create any bit of content.

If I can somehow expand upon the defuault access levels (read, create, change, delete, administer, and publish) and create a "upload files" and "uploade images" levels to do the checks. 

Unless there is another approach to take to remove the upload image permission... 

This is maybe not the most elegant approach, but one option is adding a new group, like AuthorizedFileUploader, and add all users that should be allowed to upload files to this group. On file-upload, you can check is the user belongs to this group. If the user does not belong to the group, abort upload.

I would configure this with the Access level configuration of your media type either from code or from the admin interface.

By default it is set to Everyone, but you can add you own group/user here instead and then remove the Everyone. With this you are able to control it by usergroups and who is allowed to create a content type without use of any custom code to control this. 

In this case with mediatypes it would prevent the users that are not part of the configured group to upload any images.

Anders,

The probem with that approach is we have so many of groups, and just a handful of groups which we need to revoke access.  This becomes a maintaince nightmare.  That's why I'd to go for a code-approach.  

But I can do that for now as I play around with this a bit more.