Javascript 使用角色保护Breeze Save功能

我想做的是，当从Breeze调用SaveChanges web api时，我检查要保存的实体类型，并确保用户具有添加/修改该实体类型的适当权限。到目前为止，我所拥有的：

[HttpPost]
public SaveResult SaveChanges(JObject bundle)
{
    _clientPortalContext.BeforeSaveEntitiesDelegate = ValidateSecurity;
    return _clientPortalContext.SaveChanges(bundle);
}

private Dictionary<Type, List<EntityInfo>> ValidateSecurity(Dictionary<Type, List<EntityInfo>> saveMap)
{
    List<EntityInfo> workItems;
    if (saveMap.TryGetValue(typeof(WorkItem), out workItems))
    {
        if (workItems.Count(wi => wi.EntityState == Breeze.ContextProvider.EntityState.Added) > 0 && !Utilities.GetCurrentUser().HasPermission(1))
        {
            var errors = workItems.Select(wi => { return new EFEntityError(wi, "Not Authorized", "The current user is not authorized to create work items.", ""); });
            throw new EntityErrorsException(errors);
        }
    }

    return saveMap;
}

POST http://localhost:14307/breeze/WorkItem/SaveChanges 403 (Exception of type 'Breeze.ContextProvider.EntityErrorsException' was thrown.) angular.js:8380

TypeError: Cannot read property 'map' of undefined
at ctor._prepareSaveResult (http://localhost:14307/Scripts/breeze.debug.js:15625:43)
at Object.breeze.AbstractDataServiceAdapter.ctor.saveChanges.ajaxImpl.ajax.success (http://localhost:14307/Scripts/breeze.debug.js:14822:43)
at successFn (http://localhost:14307/Scripts/breeze.debug.js:15025:20)
at http://localhost:14307/scripts/angular.js:7946:11
at deferred.promise.then.wrappedCallback (http://localhost:14307/scripts/angular.js:11319:81)
at http://localhost:14307/scripts/angular.js:11405:26
at Scope.$get.Scope.$eval (http://localhost:14307/scripts/angular.js:12412:28)
at Scope.$get.Scope.$digest (http://localhost:14307/scripts/angular.js:12224:31)
at Scope.$get.Scope.$apply (http://localhost:14307/scripts/angular.js:12516:24)
at done (http://localhost:14307/scripts/angular.js:8204:45) undefined