Permission for entity creation is currently not checked consistently. We do:
- require 'property-create' for SpecialNewProperty, by specifying it as required permission in the parent constructor.
- EditEntity uses EntityPermissionChecker to check the "edit" permission.
- EditEntity::addRequiredPermission() is never called
- EntityContentFactory also requires 'createpage' if the Entity's ID is null (!)
- Api/EditPage::getRequiredPermissions() returns 'edit'; If the entity ID is null (new entity), it also returns 'createpage' and 'property-create'
This shows that permission checks are distributed all over the code, and partially inconsistent.
Also, some API modules that allow the creation of entities may not check all necessary permission.
Necessary permissions should be determined and checked in a central place. EditEntity seems to be the right place for this, since all entity edits go through there, and it has enough information about the user.