@private
*/
var _canDoAttr = function (action, attribute) {
- var priv = this.privileges &&
+ var privObject = this.privileges &&
this.privileges.attribute &&
- this.privileges.attribute[attribute] &&
- !_.isUndefined(this.privileges.attribute[attribute][action]) ?
- this.privileges.attribute[attribute][action] : undefined;
+ this.privileges.attribute[attribute];
+
+ // shim: the way to set an attribute to be non-editable after persist is {update: "false"}
+ // if someone is asking if we can update a ready_new model, they're going to be asking
+ // canEdit, which will map to update, but we really know they are interested in the `create`
+ // attribute of the privObject
+ if (privObject && action === "update" && this.isNew() && privObject.create !== privObject.update) {
+ action = "create";
+ }
+
+ var priv = privObject &&
+ !_.isUndefined(privObject[action]) ?
+ privObject[action] : undefined;
// If there was a privilege then check our access, otherwise assume we have it
var hasPriv = !_.isUndefined(priv) ? XT.session.getPrivileges().get(priv) : true;