--- a/roundup/cgi/actions.py	Sat Jun 13 02:12:55 2009 +0000
+++ b/roundup/cgi/actions.py	Wed Jun 17 02:02:07 2009 +0000
@@ -539,9 +539,25 @@
         Base behaviour is to check the user can edit this class. No additional
         property checks are made.
         """
+
         if not classname :
             classname = self.client.classname
-        return self.hasPermission('Create', classname=classname)
+        
+        if not self.hasPermission('Create', classname=classname):
+            return 0
+
+        # Check Edit permission for each property, to avoid being able
+        # to set restricted ones on new item creation
+        for key in props:
+            if not self.hasPermission('Edit', classname=classname,
+                                      property=key):
+                # We restrict by default and special-case allowed properties
+                if key == 'date' or key == 'content':
+                    continue
+                elif key == 'author' and props[key] == self.userid:
+                    continue
+                return 0
+        return 1
 
 class EditItemAction(EditCommon):
     def lastUserActivity(self):
@@ -643,11 +659,6 @@
                 % str(message))
             return
 
-        # guard against new user creation that would bypass security checks
-        for key in props:
-            if 'user' in key:
-                return
-
         # handle the props - edit or create
         try:
             # when it hits the None element, it'll set self.nodeid