Neutron Policy Engine issues with PUT/Update

We are using a policy that looks like that:

    "network_device": "field:port:device_owner=~^network:",
    "update_port:fixed_ips": "not rule:network_device",

Idea is to protect special ports (by device_owner) from being updated but still allow users to create custom ports.

Causes following error in the policy engine if a client tries to update fixed-ips of a port:

DEBUG neutron.policy [] Unable to find requested field: device_owner in target: {
'id': 'abc',
'network_id': 'abc',
'tenant_id': 'abc',
'status': 'ACTIVE',
'project_id': 'abc',
'fixed_ips': [{'subnet_id': 'abc', 'ip_address': '10.180.128.89'}],
'attributes_to_update': ['fixed_ips']
} neutron/policy.py:395

When using PUT/Update, the policy engine is populated with data from the database, but only if the conditions in the policy_enforcement.py:54 met, like "required_by_policy", "primary_key". The definition of the port attribute "device_owner" doesn't have any of the conidition and is therefor filtered out from the target dict.

But this is not the case for all other operations like GET, DELETE and CREATE. This seems to me like unintended behaviour, shouldn't all attributes that annoted by "enforce_policy" be pulled into the target dict?

From doc/source/contributor/internals/policy.rst
* If an attribute of a resource might be subject to authorization checks
  then the ``enforce_policy`` attribute should be set to ``True``...