diff --git a/xwiki-platform-core/xwiki-platform-oldcore/pom.xml b/xwiki-platform-core/xwiki-platform-oldcore/pom.xml
index 1a18cf7..aa57080 100644
--- a/xwiki-platform-core/xwiki-platform-oldcore/pom.xml
+++ b/xwiki-platform-core/xwiki-platform-oldcore/pom.xml
@@ -565,6 +565,11 @@
xwiki-platform-localization-api
${project.version}
+
+ org.xwiki.platform
+ xwiki-platform-security-api
+ ${project.version}
+
diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/CreateAction.java b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/CreateAction.java
index e391ea6..75cab45 100644
--- a/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/CreateAction.java
+++ b/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/CreateAction.java
@@ -29,10 +29,7 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xwiki.model.EntityType;
-import org.xwiki.model.reference.DocumentReference;
-import org.xwiki.model.reference.DocumentReferenceResolver;
-import org.xwiki.model.reference.EntityReference;
-import org.xwiki.model.reference.EntityReferenceSerializer;
+import org.xwiki.model.reference.*;
import org.xwiki.query.Query;
import org.xwiki.query.QueryManager;
@@ -43,6 +40,8 @@
import com.xpn.xwiki.doc.XWikiDocument;
import com.xpn.xwiki.objects.BaseObject;
import com.xpn.xwiki.util.Util;
+import org.xwiki.security.authorization.AuthorizationManager;
+import org.xwiki.security.authorization.Right;
/**
* Create document action.
@@ -145,6 +144,14 @@ public String render(XWikiContext context) throws XWikiException
space = request.getParameter(SPACE);
page = request.getParameter(PAGE);
}
+ // Checking rights
+ SpaceReference spaceReference = doc.getDocumentReference().getSpaceReferences().get(0);
+ AuthorizationManager authManager = Utils.getComponent(AuthorizationManager.class);
+ if(!authManager.hasAccess(Right.EDIT, context.getUserReference(), spaceReference)){
+ Object[] args = {doc.getFullName(), context.getUser()};
+ throw new XWikiException(XWikiException.MODULE_XWIKI_ACCESS, XWikiException.ERROR_XWIKI_ACCESS_DENIED,
+ "Access to document {0} has been denied to user {1}", null, args);
+ }
// get the available templates, in the current space, to check if all conditions to create a new document are
// met
diff --git a/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-bridge/src/main/java/org/xwiki/security/authorization/internal/XWikiCachingRightService.java b/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-bridge/src/main/java/org/xwiki/security/authorization/internal/XWikiCachingRightService.java
index 352a848..6fab715 100644
--- a/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-bridge/src/main/java/org/xwiki/security/authorization/internal/XWikiCachingRightService.java
+++ b/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-bridge/src/main/java/org/xwiki/security/authorization/internal/XWikiCachingRightService.java
@@ -116,7 +116,7 @@
.putAction("objectsync", Right.EDIT)
.putAction("rollback", Right.EDIT)
.putAction("upload", Right.EDIT)
- .putAction("create", Right.EDIT)
+ .putAction("create", Right.VIEW)
.putAction("deleteversions", Right.ADMIN)
.putAction("deletespace", Right.ADMIN)
.putAction("temp", Right.VIEW);