diff --git a/server/pkg/dal/service.go b/server/pkg/dal/service.go
index 4cef0eaeb3..5c3dd06cbd 100644
--- a/server/pkg/dal/service.go
+++ b/server/pkg/dal/service.go
@@ -831,6 +831,8 @@ func (svc *service) applyAlteration(ctx context.Context, alts ...*Alteration) (e
 	}
 
 	var (
+		c = svc.GetConnectionByID(0)
+
 		connectionID = alts[0].ConnectionID
 		resource     = alts[0].Resource
 		resourceType = alts[0].ResourceType
@@ -864,6 +866,11 @@ func (svc *service) applyAlteration(ctx context.Context, alts ...*Alteration) (e
 		return nil, fmt.Errorf("model not found")
 	}
 
+	if model.ConnectionID == c.ID && model.Ident == "compose_record" {
+		err = fmt.Errorf("cannot apply alterations for default schema")
+		return
+	}
+
 	issues = issues.addModel(model.ResourceID)
 
 	// @todo consider adding some logging to validators
diff --git a/server/system/service/dal_schema_alteration.go b/server/system/service/dal_schema_alteration.go
index 637412485f..c1aeea70f3 100644
--- a/server/system/service/dal_schema_alteration.go
+++ b/server/system/service/dal_schema_alteration.go
@@ -149,15 +149,6 @@ func (svc dalSchemaAlteration) SetAlterations(ctx context.Context, s store.Store
 		u = intAuth.GetIdentityFromContext(ctx).Identity()
 	)
 
-	// @todo this won't work entirely; if someone defines a dal connection to the same DSN as the primary one,
-	//       they can easily bypass this.
-	//       We'll need to do some checking on the DSN; potentially when defining the connection itself.
-	c := svc.dal.GetConnectionByID(0)
-	if m.ConnectionID == c.ID && m.Ident == "compose_record" {
-		err = fmt.Errorf("cannot set alterations for default schema")
-		return
-	}
-
 	// Delete current ones
 	// @todo we might be able to do some diffing to preserve the metadata/ids
 	//       but for now this should be just fine.