Serializer: POST nested object without permission fails quietly

This is a low priority bug

The following unit test passes:

# I am attempting to add a resource which I should not know exists
parent = LDPDummy.objects.create(some='parent')
data = {
    'anons': [
        {'@id': 'https://external.com/permissionless-dummys/1/'}
    ]
}
response = self.client.patch('/ldpdummys/{}/'.format(parent.pk), data=json.dumps(data),
                                     content_type='application/ld+json')

self.assertEqual(response.status_code, 200)
self.assertEqual(len(response.data['anons']['ldp:contains']), 0)
parent = LDPDummy.objects.get(pk=parent.pk)
self.assertEqual(parent.anons.count(), 0)

The serializer rejects my permission to update the nested resource correctly. It is not failing totally silently, because it does not pretend to have created the resource in the response. It should possibly be failing more loudly, returning a 403 or 400

In PUT/PATCH there is an added security consideration (#329 (closed) ):

If I have the model permission add, then I can deduce from this request that the permissionless-dummy which I attempted to change exists, which is a minor security vulnerability as I do not have permission to know that this exists