--- a/.hgtags	Thu Jan 22 17:32:49 2015 +0100
+++ b/.hgtags	Thu Jan 22 17:45:06 2015 +0100
@@ -365,6 +365,9 @@
 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-version-3.18.7
 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-debian-version-3.18.7-1
 cb96f4403cf2837b595992ceb0dfef2070d55e70 cubicweb-centos-version-3.18.7-1
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-version-3.18.8
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-debian-version-3.18.8-1
+231094063d62fa7c5296f2e46bc204e728038e85 cubicweb-centos-version-3.18.8-1
 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-version-3.19.0
 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-debian-version-3.19.0-1
 1141927b8494aabd16e31b0d0d9a50fe1fed5f2f cubicweb-centos-version-3.19.0-1
@@ -389,6 +392,9 @@
 ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-version-3.19.7
 ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-debian-version-3.19.7-1
 ac4f5f615597575bec32f8f591260e5a91e53855 cubicweb-centos-version-3.19.7-1
+efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-version-3.19.8
+efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-debian-version-3.19.8-1
+efc8645ece4300958e3628db81464fef12d5f6e8 cubicweb-centos-version-3.19.8-1
 7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-version-3.20.0
 7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-debian-version-3.20.0-1
 7e6b7739afe6128589ad51b0318decb767cbae36 cubicweb-centos-version-3.20.0-1

--- a/debian/changelog	Thu Jan 22 17:32:49 2015 +0100
+++ b/debian/changelog	Thu Jan 22 17:45:06 2015 +0100
@@ -16,6 +16,12 @@
 
  -- Julien Cristau <julien.cristau@logilab.fr>  Tue, 06 Jan 2015 18:11:03 +0100
 
+cubicweb (3.19.8-1) unstable; urgency=medium
+
+  * new upstream release
+
+ -- Julien Cristau <julien.cristau@logilab.fr>  Thu, 22 Jan 2015 17:18:34 +0100
+
 cubicweb (3.19.7-1) unstable; urgency=low
 
   * new upstream release
@@ -64,6 +70,12 @@
 
  -- Julien Cristau <julien.cristau@logilab.fr>  Mon, 28 Apr 2014 18:35:27 +0200
 
+cubicweb (3.18.8-1) unstable; urgency=medium
+
+  * new upstream release
+
+ -- Julien Cristau <julien.cristau@logilab.fr>  Thu, 22 Jan 2015 16:41:12 +0100
+
 cubicweb (3.18.7-1) unstable; urgency=low
 
   * new upstream release

--- a/hooks/security.py	Thu Jan 22 17:32:49 2015 +0100
+++ b/hooks/security.py	Thu Jan 22 17:45:06 2015 +0100
@@ -69,6 +69,13 @@
                 raise Unauthorized(action, str(rdef))
             rdef.check_perm(cnx, action, eid=eid)
 
+    if action == 'add' and not etypechecked:
+        # think about cnx.create_entity('Foo')
+        # the standard metadata were inserted by a hook
+        # with a bypass ... we conceptually need to check
+        # the eid attribute at *creation* time
+        entity.cw_check_perm(action)
+
 
 class CheckEntityPermissionOp(hook.DataOperationMixIn, hook.LateOperation):
     def precommit_event(self):

--- a/server/test/unittest_security.py	Thu Jan 22 17:32:49 2015 +0100
+++ b/server/test/unittest_security.py	Thu Jan 22 17:45:06 2015 +0100
@@ -131,6 +131,14 @@
             self.assertRaises(Unauthorized, cnx.commit)
             self.assertEqual(cnx.execute('Personne X').rowcount, 1)
 
+    def test_insert_security_2(self):
+        with self.new_access('anon').repo_cnx() as cnx:
+            cnx.execute("INSERT Affaire X")
+            self.assertRaises(Unauthorized, cnx.commit)
+            # anon has no read permission on Affaire entities, so
+            # rowcount == 0
+            self.assertEqual(cnx.execute('Affaire X').rowcount, 0)
+
     def test_insert_rql_permission(self):
         # test user can only add une affaire related to a societe he owns
         with self.new_access('iaminusersgrouponly').repo_cnx() as cnx: