--- a/hooks/security.py	Fri Jan 10 16:37:12 2014 +0100
+++ b/hooks/security.py	Thu Oct 24 13:15:53 2013 +0200
@@ -1,4 +1,4 @@
-# copyright 2003-2012 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
+# copyright 2003-2013 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
 # contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
 #
 # This file is part of CubicWeb.
@@ -20,6 +20,7 @@
 """
 
 __docformat__ = "restructuredtext en"
+from warnings import warn
 
 from logilab.common.registry import objectify_predicate
 
@@ -29,8 +30,8 @@
 from cubicweb.server import BEFORE_ADD_RELATIONS, ON_COMMIT_ADD_RELATIONS, hook
 
 
-_DEFAULT_UPDATE_ATTRPERM = buildobjs.DEFAULT_ATTRPERMS['update']
-def check_entity_attributes(session, entity, editedattrs=None, creation=False):
+
+def check_entity_attributes(session, entity, action, editedattrs=None):
     eid = entity.eid
     eschema = entity.e_schema
     # ._cw_skip_security_attributes is there to bypass security for attributes
@@ -43,27 +44,25 @@
             continue
         rdef = eschema.rdef(attr)
         if rdef.final: # non final relation are checked by standard hooks
-            # attributes only have a specific 'update' permission
-            updateperm = rdef.permissions.get('update')
+            perms = rdef.permissions.get(action)
             # comparison below works because the default update perm is:
             #
-            #  ('managers', ERQLExpression(Any X WHERE U has_update_permission X, X eid %(x)s, U eid %(u)s))
+            #  ('managers', ERQLExpression(Any X WHERE U has_update_permission X,
+            #                              X eid %(x)s, U eid %(u)s))
             #
             # is deserialized in this order (groups first), and ERQLExpression
-            # implements comparison by expression.
-            if updateperm == _DEFAULT_UPDATE_ATTRPERM:
-                # The default update permission is to delegate to the entity
-                # update permission. This is an historical artefact but it is
-                # costly (in general). Hence we take this permission object as a
-                # marker saying "no specific" update permissions for this
-                # attribute. Thus we just do nothing.
+            # implements comparison by rql expression.
+            if perms == buildobjs.DEFAULT_ATTRPERMS[action]:
+                # The default rule is to delegate to the entity
+                # rule. This is an historical artefact. Hence we take
+                # this object as a marker saying "no specific"
+                # permission rule for this attribute. Thus we just do
+                # nothing.
                 continue
-            if creation and updateperm == ():
-                # That actually means an immutable attribute.  We make an
-                # _exception_ to the `check attr update perms at entity create &
-                # update time` rule for this case.
-                continue
-            rdef.check_perm(session, 'update', eid=eid)
+            if perms == ():
+                # That means an immutable attribute.
+                raise Unauthorized(action, str(rdef))
+            rdef.check_perm(session, action, eid=eid)
 
 
 class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
@@ -72,8 +71,7 @@
         for eid, action, edited in self.get_data():
             entity = session.entity_from_eid(eid)
             entity.cw_check_perm(action)
-            check_entity_attributes(session, entity, edited,
-                                    creation=(action == 'add'))
+            check_entity_attributes(session, entity, action, edited)
 
 
 class CheckRelationPermissionOp(hook.DataOperationMixIn, hook.LateOperation):