the behavior may depend on your custom provider.
But whit the included FileSystemContentProvider things work as expected.
And this includes users created folders.
A user can only create folders where he has the permission to do so.
Which results also in the permission to write (upload there).
In my example http://www.telerik.com/community/code-library/aspnet-ajax/file-explorer/extending-the-radfileexplorer.aspx
I use a directory structure like this:
I set UploadPaths to XFiles which results in:
A user can create folders everywhere under XFiles (including subdirectories).
An he / she can also upload files to every directory (subdirectory) of \XFiles - also to newly created ones.
--to be clear - although I create my own (derived) provider in this sample - I did nothing to change the default behavior in this part of the original provider - so what you see there is exactly what the original provider does out of the box.
For me this looks like I expect it.
It is similar to "NTFS permissions" - I you are allowed to create files and folders under a tree - you can create folders there (not in a different tree where you don't have the rights).
And if you create a new folder there - you can also create files (upload in this case) in this new folder.