How would someone model the API permissions that would be suitable for a SPA? I don’t want to send all the available user permissions on login because there will be hundreds of them and would prefer the access comes from the server rather than putting access logic in frontend. You could say there’s 3 types of permissions - view, generic and resource specific:
- view - can the user access a view, like can he access users list view (users:view.index etc.)
- generic - can the user access an api endpoint e.g. users list (users:index etc.)
- resource specific - actions the user can make on a specific resource like edit specific user etc.
API endpoints check generic permissions if they are accessible and attach resource specific permissions via meta to resources if requested, but view and generic permissions is what I struggle with at the moment. Like view permissions specify if a menu entry is visible and if the page is accessible; generic in addition to endpoint access, could sometimes influence if a button like “Invite user” or “Create user” is visible on the page, but I’m having a difficult time understanding how should I check it? For example when you open an list (table) page, the only thing I can think of is first fetch view permissions and only then, depending on response, retrieve the user list or show access denied page? Anyone dealt with this and has some tips or insights?