MongoEngineListResource objects do not check authorization for any changes (create, update, delete) prior to performing them. In obj_update for example https://github.com/wlanslovenija/django-tastypie-mongoengine/blob/master/tastypie_mongoengine/resources.py#L854 the change is made and saved without ever checking in for authorization to make the change. The only permissions enforced here are read_* checks when getting the parent/containing Document.
MongoEngineListResource objects do not check authorization for any changes (create, update, delete) prior to performing them. In obj_update for example https://github.com/wlanslovenija/django-tastypie-mongoengine/blob/master/tastypie_mongoengine/resources.py#L854 the change is made and saved without ever checking in for authorization to make the change. The only permissions enforced here are read_* checks when getting the parent/containing Document.