We have some checks that are only to be enforced for external user and other checks that should always be enforced for data integrity.
So I think we should follow the proposal of Verify access right only for RPC and have this API:
check_modification(cls, records, values=None, external=False)which is called without check access butexternalis set toTruewhen check access isTrue.