Let plugins configure a server-side update logic on a per-type basis
As an example consider an update-user-account request (#97 (closed)): clients would still send it to the generic update endpoint, and the Access Control plugin interferes the request at server-side (in order to do password's SHA256 encoding and proprietary workspace assignment).
An alternative approach would be to let the client send the update-user-account request to a proprietary endpoint (#98), provided by Access Control plugin. But then a chance for misuse remains: an application could still send an update-user-account request to the generic update endpoint by mistake. This would corrupt the user account. Server-side interference eliminates that error source.
So #98 will be postponed in favor for a server-side approach.
@mukil FYI