[Bug] Auth rules of parent not respected when child with `hasInverse` is added

Could anyone reproduce this?

It’s a security issue!