Check PUT and POST
The permission system bases its decisions on the verb used on the request, assuming that POST is used to add and PUT to change. But I believe we can POST a resource with an @id to change it, and PUT a new resource. We need to check if it's the case and if that creates a security issue.