diff -r 68a95d4fb77f -r 85cbf16fbb57 hooks/security.py
--- a/hooks/security.py	Wed Nov 26 17:39:59 2014 +0100
+++ b/hooks/security.py	Wed Jan 21 15:58:33 2015 +0100
@@ -68,6 +68,12 @@
                 # going through check_perm.
                 raise Unauthorized(action, str(rdef))
             rdef.check_perm(session, action, eid=eid)
+    if action == 'add' and not etypechecked:
+        # think about cnx.create_entity('Foo')
+        # the standard metadata were inserted by a hook
+        # with a bypass ... we conceptually need to check
+        # the eid attribute at *creation* time
+        entity.cw_check_perm(action)
 
 
 class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):