Hi team,
I would like to have any advice on a specific use case.
Let’s take a classical example:
db.users.hasMany(db.addresses, { foreignKey: 'user_id' });
db.addresses.belongsTo(db.users, { as: 'user', foreignKey: 'user_id' });
I want to authorize my forestadmin users to do the following actions
** create an address for a user*
** update any address of a user*
But I want to:
** forbid any change to the user attached to an address once it is created*
The problem I already encountered is the following one:
Sometimes, by error, a forestadmin user is modifying the user linked to an address entry, and so, the previous record do not have any more address.
How would you recommend to enforce this security?
I cannot set the read only attribute on the field user of address, because of the need to initialize it when creating a record.
Any idea?
Thanks
Hello @Louis-Marie & sorry for the late reply,
I tried to reproduce the problem you encountered but it was unsuccessful. The update of a record (A) on the parent table keeps well the records depending on (A). Can you tell me which version of forest-express-sequelize you use and your project name. And if it’s possible the code on the users and addresses models ? 
Hi @anon16419211
There is no issue. This is a request for an advice.
I think there is a misunderstanding on my question.
Let’s take an example with two records:
A first user record: M. Dupont Henri
has an address: 55, rue des Martyres 75001 Paris
A second user : M. Tartempion Albert
has an address: 23, rue de la Mer 62500 Calais
When updating the address of M. Dupont, a Forestadmin user is able to change the user field to attach it to M. Tartempion.
=> because the user field of address collection can be changed.
It will make M. Tartempion have two addresses, and M. Dupont will not have any more address.
I would like to remove that possibility, and I don’t know how to do it.
I cannot make the user field of address in Read only, because it needs to be initialized when creating an address.
Do you understand now?
Here is my current setup:
"database_type": "postgres",
"liana": "forest-express-sequelize",
"liana_version": "6.6.3",
"engine": "nodejs",
"engine_version": "12.13.1",
"orm_version": "5.22.3"
Indeed I didn’t quite understand the question. 
You can find all the documentation concerning the logic of your routes here.
I was able to setup a project and find you a workaround. Can you add the following piece of code to your app.js file and tell me if the desired behavior is the right one?
At the top of your file:
const { PermissionMiddlewareCreator, RecordGetter } = require('forest-express-sequelize');
const { addresses } = require('./models');
const permissionMiddlewareCreator = new PermissionMiddlewareCreator('addresses');
And next you can override the right route:
app.put('/forest/addresses/:recordId/relationships/user_id', permissionMiddlewareCreator.update(), async (request, response, next) => {
try {
const recordGetter = new RecordGetter(addresses);
const myRecord = await recordGetter.get(request.params.recordId);
if (myRecord.user_id) {
throw new Error();
}
next();
} catch (error) {
response.status(500).send({ error: "Already linked to a record" })
}
});
Let me know if it helps