Comment 8 for bug 786418

An object's primary key is never allowed to be overwritten. For example, when the client sends an object to be written (updated), the checkPermissions() should check if the client has permissions to update the object as a whole. The ModelWrapper.getDataClone() simply fetches that object from the datastore, updates the *non-reference lists* properties objects (only updates fields with write permissions and any other changes are discarded). This will NOT replace the server primary key ever.

At creation time, an object is created in the database (a new server primary key is generated by the datastore automatically). Then similar to the update method, this will update the fields that has correct permissions and simply discard the others. If an error occurs (this shouldn't be the case however), the whole object is immediately deleted from the database and an exception is thrown.

So answering your question, the model wrapper only checks permissions within an objects fields and will never replace the primary key (primary keys are always handled by the datastore). However, in case of a malicious client sends false primary keys, then the checkPermissions() should handle that and the ModelWrapper will not check this.

Hope this answered your question.