Currently, on the permissions check on an update operation, the check is only run on the row before it is modified. It would also make sense to add a check to make sure that the modification is valid.

Example use case:

1. You have a table of users and a table of (for example) cars.

2. Each car has a reference (with a foreign key constraint) to a car.

3. You want users to be able to update their car entries using criteria including the user_id, so you allow them access to it on the update permission.

4. Currently: You have a problem, as they can now change the user_id column to someone else, when the application was designed for other users to be completely invisible.

   With suggestion: You add a check so that the user_id field after modification must still equal X-HASURA-USER-ID, and everything works fine.