Check add_permission.

CHANGES.rst

@@ -4,6 +4,9 @@ Changelog
 2.3.3 (unreleased)
 ------------------
 
+- Check add_permission before checking constrains. Refs #37
+  [jaroel]
+
 - Remove obsolete css-class and text from statusmessages.
   [pbauer]
 

plone/dexterity/content.py

@@ -726,6 +726,12 @@ def invokeFactory(self, type_name, id, RESPONSE=None, *args, **kw):
         constrains = IConstrainTypes(self, None)
 
         if constrains:
+            # Do permission check before constrain checking so we'll get
+            # an Unauthorized over a ValueError.
+            fti = queryUtility(ITypeInformation, name=type_name)
+            if fti is not None and not fti.isConstructionAllowed(self):
+                raise Unauthorized('Cannot create %s' % fti.getId())
+
             allowed_ids = [
                 fti.getId() for fti in constrains.allowedContentTypes()
             ]