diff --git a/CHANGES.rst b/CHANGES.rst
index 3a8eb6a4..85132ff6 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -4,6 +4,9 @@ Changelog
 2.3.3 (unreleased)
 ------------------
 
+- Check add_permission before checking constrains. Refs #37
+  [jaroel]
+
 - Remove obsolete css-class and text from statusmessages.
   [pbauer]
 
diff --git a/plone/dexterity/content.py b/plone/dexterity/content.py
index 59e97c85..feff70eb 100644
--- a/plone/dexterity/content.py
+++ b/plone/dexterity/content.py
@@ -726,6 +726,12 @@ def invokeFactory(self, type_name, id, RESPONSE=None, *args, **kw):
         constrains = IConstrainTypes(self, None)
 
         if constrains:
+            # Do permission check before constrain checking so we'll get
+            # an Unauthorized over a ValueError.
+            fti = queryUtility(ITypeInformation, name=type_name)
+            if fti is not None and not fti.isConstructionAllowed(self):
+                raise Unauthorized('Cannot create %s' % fti.getId())
+
             allowed_ids = [
                 fti.getId() for fti in constrains.allowedContentTypes()
             ]