Property-level 'create' permissions are bypassed with model constructor #31
Description
In the current implementation, the ACL permission for 'create' operations is only asserted for individual property changes done after the model object is constructed, but not for properties passed to the model constructor.
To fix this, change the current code in validate:
var changedAttrs = this.changedSinceSync ? this.changedSinceSync() : this.changedAttributes();
// ...
var oldAttrs = action === 'update' ? this.previousAttributes() : attrs;to something like:
var oldAttrs;
var changedAttrs;
if (action === 'create') {
oldAttrs = _.result(this, 'defaults', {});
changedAttrs = attrs;
} else if (action === 'update') {
oldAttrs = this.previousAttributes();
changedAttrs = this.changedSinceSync();
}Unfortunately, changing the behavior will break a lot of existing code, so it can only be done in a new major version.