Deserialization should clear previous_changes on models it doesn't update

[chrisandreae]

If we didn’t make changes to the model, UpdateContext doesn’t call save. If it doesn’t call save, it doesn’t clobber previous_changes on the model, so previous_changes that didn’t come from deserialization are available for the access control to look at, without much way to distinguish them.

This isn't very nice. Consider if visiting a model for deserialization should clear its previous changes regardless of whether it saves or not, thus ensuring that previous_changes throughout the tree is guaranteed to exactly represent the changes made to the tree.

[chrisandreae]

Another option would be to take it off the model entirely, and make our changes structure a deep nested parallel structure of what view-level attributes were changed in each view in the tree. This would be a rather larger change, but might be a cleaner layering.