[Bug]: User can create an object with the copy/paste action without the permission created

[amignotte]

Pimcore version

2024.2

Steps to reproduce

• Create a non admin user with the possibility to see Data-Object and in the workspaces to all permissions except creation/deletion on a folder and add another folder where it can create some other objects.
  In my example, I have a folder named Hotels where we stored the Hotels objects and I don't want the user Demo can create Hotels. I have another folder to store the Beds of the hotels, and I authorize the user to create Beds :

• With your admin user create an Hotel object.

• Log-in now with your Demo user.

• Copy the hotel created by the admin user

• Paste-it in the Room/Beds folder

Actual Behavior

As you can see, I can copy my hotel but I can't paste-it in the Hotels folder :

But if I go on my Rooms/Beds folder I can paste it :

And the hotel is now created under the hotel folder because we have an automatic tree folder according the type of the object :

Expected Behavior

The user can't be able to copy/paste an object when theses permissions rights doesn't allow him to create the object !

=> It's a critical issue because with this possibility the users can create any objects bypassing the creation rights.

Thanks for fix it as soon is possible for you :)

[kingjia90]

Thank you for reporting!
Confirming the issue and tried to fix it by
#691

When the copied folder has some mixed classes, then it would need some warning (before) or log (after) to tell which files were actually copied and which one are skipped due to the lack of authorization.
Current PR is in draft as it would throw an exception and may be not user friendly

[kingjia90]

Fixed by #691