In Plone 5.2, I have a dexterity content type with an "add_permission" defined in its schema, but I find that the permission cmf.addportalcontent is also being required to add.
I expected that the configured add_permission would solely grant or revoke permission to add this type. Is the add_permission only for further limiting cmf.addportalcontent? I do not want to grant a global addportalcontent to users who should only add this one type.
To be sure I set up the add_permission correctly, I can see in ZMI that the portal_type add permission is effectively created and configured for the type. The user has the add permission, confirmed by a check in the container view and logging the user's permissions. However, toggling cmf.addportalcontent for the user effectively restricts/allows the add.
The type has a custom (klass) class, so I thought maybe I would need a custom add form with zcml permission declaration of the add permission, but making one did not help. cmf.addportalcontent is still required.
Is always requiring addportalcontent the design? If not, how can I find what code is requiring this permission? Verbose security just says unauthorized.
If it is the design, should I grant addportalcontent and limit through placeful workflow to a container and then limit the available types to add? This seems cumbersome/risky vs. granting just the specific add_permission.