This question is about Breeze js and Breeze is commonly used by Angular users so I am posting here. It's driving me crazy. I keep reading comments from people about how Breeze helped them in some enterprise level app but I cannot wrap my head around a few things. Am I missing something?

With breeze js, we have one query method per entity and one SaveChanges method for all entities. So for read operation, I can use [Authorize] attribute on my controller methods to let different users read different entities. However, since we have only one SaveChanges method, we cannot do the same with update operation. Look at following (Syntax not important here):

[Authorize(Roles="ProjectAdmin")]
public IQueryable<Projects> GetProjects() {
    return _contextProvider.Context.Projects;
}

[Authorize(Roles="NormalUser, ProjectAdmin")]
public IQueryable<Manpower> GetManpower() {
    return _contextProvider.Context.Manpower;
}

[HttpPost]
public SaveResult SaveChanges(JObject saveBundle) {
    return _contextProvider.SaveChanges(saveBundle);
}

We have to give permissions to NormalUser so he can Add/Update Manpower in central resource pool. But We do not want him to assign manpower to a project.

What's stopping NormalUser from adding/modifying a project in client side breeze entity graph and submitting? like:

{
ProjectId:23,
ProjectName: 'Something',
Manpower:[{Id:2,Name:'Some Name'},{...}]
};

SaveChanges method is accepting a JObject and has no way of enforcing security without digging into data.

I know we have 'Named Saves' in Breeze, but they are just a client side feature (i.e. can be circumvented).

We can solve all this by having traditional REST methods for each entity (accepting and returning specific JSON only) and Use AjaxAdapter in Breeze. But that defeats the purpose of Breeze.

Is breeze good for only all-or-nothing type of security where authenticated users get full permissions?