In general your problem is that you check the condition on the front end but not on the backend. You have to check if a user is a allowed to upload a file before moving it to the uploads directory and adding it as an attachment.
If the limitation you put are kind of nice to have it might be enough to limit upload in the UI, but if it has business or law related implications then the only way is server side checks.