diff --git a/product/ERP5Type/Document/Folder.py b/product/ERP5Type/Document/Folder.py
index df1cc9501257c0bbd3d99fe299535c1b3e9dd3b0..e2731f77f6adbfd3cb2cd64a92d173cda208b724 100644
--- a/product/ERP5Type/Document/Folder.py
+++ b/product/ERP5Type/Document/Folder.py
@@ -650,12 +650,24 @@ be a problem)."""
   # Optimized Menu System
   security.declarePublic('allowedContentTypes')
   def allowedContentTypes( self ):
-    """
-      List portal_types which can be added in this folder / object.
-      Cache results. This requires restarting Zope to update values.
-    """ 
+    """ List portal_types which can be added in this folder / object.
+    Cache results.
+    """
+    # if we don't have add portal content permission, return directly.
+    # this prevents returning cached allowed types when the user no longer have
+    # the permission to any content type. (security definitions in workflows
+    # usually remove some permission once an object is "Valid")
+    # This also prevents filling the cache with an empty list, when the user
+    # does not have the permission to add any content yet.
+
+    # XXX this works just fine, unless some objects can be added with another
+    # permission that "Add portal content". For now, this is only the case for
+    # Role Definition objects, but this shows that generally speaking, this is
+    # not the right approach.
     if not getSecurityManager().checkPermission(
-                      Permissions.AddPortalContent, self):
+                      Permissions.AddPortalContent, self) and\
+       not getSecurityManager().checkPermission(
+                      Permissions.ChangeLocalRoles, self):
       return []
     
     def _allowedContentTypes( portal_type=None, user=None, portal_path=None ):