diff --git a/src/State/TaskDocumentProcessor.php b/src/State/TaskDocumentProcessor.php
index 3191e2f..51c6750 100644
--- a/src/State/TaskDocumentProcessor.php
+++ b/src/State/TaskDocumentProcessor.php
@@ -19,6 +19,7 @@ use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Uid\Uuid;
 
@@ -74,6 +75,13 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
      */
     public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): TaskDocument
     {
+        // Défense en profondeur : l'opération Post est déjà protégée par ROLE_ADMIN, mais on
+        // re-vérifie ici pour que les deux chemins (upload ET lien partage) restent sûrs si la
+        // configuration de sécurité de l'opération venait à changer.
+        if (!$this->security->isGranted('ROLE_ADMIN')) {
+            throw new AccessDeniedHttpException('Creating task documents requires admin privileges.');
+        }
+
         $request = $this->requestStack->getCurrentRequest();
 
         if (null === $request) {