At the moment, the content/create route will always display the form, even to an anonymous user. If the user does not have permissions to create, the login form will be shown on submit.

Unless there are special use-cases, the controller should only display the form if the user has permission to create.

Note that according to feedback in EZP-25435, this would be a problem with HTTP cache with some policies (like ParentContent conditions).