I have now the need to conditionally render some parts of the UI (or execute some operations) based on the user role/permission (authorization is server side model based ACL).
What is the best way to communicate permission data from server to client, taking into account that:
- The models exchanged may have other embedded models with their specific permission
- I need to know also READ and CREATE permissions on different models (so the model object is not yet available client side)
- Should minimize REST calls and DB calls
Your client should present controls to the user based on information returned by the server on a per-request basis. If the response from the server includes some information intended to be used to perform an action, the client should take that hint and maybe enable a button or make it visible or something.
Using this approach, you can define your ACL in terms of resource/privilege -- this model + that HTTP method. When the server is about to return a representation of a resource, it can include any options the user should see for that resource by polling the ACL for all privileges the user possesses for that resource (or others, like children/descendant resources.)