As of today, attribute 'update' permissions are checked at entity creation time.
In the past, we have gone from 'add'/'delete' permissions in the manner of relations to 'update' perms, like for entities, but while simplifying it to 'update', we lost something.
There are definitely cases when a specific attribute 'update' permission forbids entity _creation_. The most common case (no permission at all) is actually hard-coded in check_entity_attributes, but there's no deep reason more cases cannot be handled.
|appeared in||<not specified>|
|closed by||#96dba2efd16d [hooks/security] provide attribute "add" permission|