diff -r 4b89ca0b11ad -r 96dba2efd16d schema.py
--- a/schema.py	Fri Jan 10 16:37:12 2014 +0100
+++ b/schema.py	Thu Oct 24 13:15:53 2013 +0200
@@ -330,6 +330,8 @@
         return 'Any %s WHERE %s' % (','.join(sorted(self.mainvars)),
                                     self.expression)
 
+
+
 # rql expressions for use in permission definition #############################
 
 class ERQLExpression(RQLExpression):
@@ -395,6 +397,16 @@
             kwargs['o'] = toeid
         return self._check(_cw, **kwargs)
 
+
+# In yams, default 'update' perm for attributes granted to managers and owners.
+# Within cw, we want to default to users who may edit the entity holding the
+# attribute.
+# These default permissions won't be checked by the security hooks:
+# since they delegate checking to the entity, we can skip actual checks.
+ybo.DEFAULT_ATTRPERMS['update'] = ('managers', ERQLExpression('U has_update_permission X'))
+ybo.DEFAULT_ATTRPERMS['add'] = ('managers', ERQLExpression('U has_add_permission X'))
+
+
 PUB_SYSTEM_ENTITY_PERMS = {
     'read':   ('managers', 'users', 'guests',),
     'add':    ('managers',),
@@ -408,6 +420,7 @@
     }
 PUB_SYSTEM_ATTR_PERMS = {
     'read':   ('managers', 'users', 'guests',),
+    'add': ('managers',),
     'update': ('managers',),
     }
 RO_REL_PERMS = {
@@ -417,6 +430,7 @@
     }
 RO_ATTR_PERMS = {
     'read':   ('managers', 'users', 'guests',),
+    'add': ybo.DEFAULT_ATTRPERMS['add'],
     'update': (),
     }
 
@@ -951,12 +965,6 @@
         return self._eid_index[eid]
 
 
-# in yams, default 'update' perm for attributes granted to managers and owners.
-# Within cw, we want to default to users who may edit the entity holding the
-# attribute.
-ybo.DEFAULT_ATTRPERMS['update'] = (
-    'managers', ERQLExpression('U has_update_permission X'))
-
 # additional cw specific constraints ###########################################
 
 class BaseRQLConstraint(RRQLExpression, BaseConstraint):