diff -r a1364ac56bb9 -r 57b68193413c hooks/security.py
--- a/hooks/security.py	Wed Jan 07 14:56:33 2015 +0100
+++ b/hooks/security.py	Thu Jan 22 17:18:20 2015 +0100
@@ -69,6 +69,13 @@
                 raise Unauthorized(action, str(rdef))
             rdef.check_perm(cnx, action, eid=eid)
 
+    if action == 'add' and not etypechecked:
+        # think about cnx.create_entity('Foo')
+        # the standard metadata were inserted by a hook
+        # with a bypass ... we conceptually need to check
+        # the eid attribute at *creation* time
+        entity.cw_check_perm(action)
+
 
 class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
     def precommit_event(self):