[hooks/security] Defer entity permission checks to an Operation.
Some of these checks may currently happen twice within the same
transaction and be costly.
This should be semantically safe. If people rely on some internal
transaction ordering to be allowed early (thus pass) while the
condition wouldn't be met at precommit time, their application is
broken. It however seems unlikely to happen in the real life (tm).
Closes #2932033
<table class="attributeForm" style="width:100%;"
tal:attributes="id tab_id | nothing;
class tab_class | nothing;">
<tr tal:iter="widget lines">
<th class="labelCol" tal:content="structure python:widget.render_label(entity)">attrname</th>
<td tal:define="error python:widget.render_error(entity)" style="width:100%;"
tal:attributes="class python:error and 'error' or nothing">
<div tal:replace="structure error">error message if any</div>
<div tal:replace="structure python:widget.edit_render(entity)" >widget (input, textarea, etc.)</div>
<div tal:replace="structure python:widget.render_help(entity)">format help if any</div>
</td>
</tr>
</table>