Same resource different permissions

So I was wondering what would be the go to option in common situation when dealing with permissions:
we have an Article and Language resources, the user has access to Articles list but does not have access to Languages list for administration yet Article needs a language to be assigned on creation.
How can we provide the user the Languages for creating the Article yet preventing the user form accessing the Languages list? Do we have to create 2 different resources or endpoints? In basic json responses you just attach available languages on create/edit data request but can’t figure out how to go about this in json api’ish way.

If a user does not have enough rights return a 405 Method Not Allowed Have the server / log in management deal with it.

Why can’t a user have access to /languages?