render partial view based on user permissions

Question

My Task is to create a permission system that is not pre-defined by roles. E.g the system does not define the roles which an admin can assign to other users. Instead the system only provides all the database tables and the admin can create their own roles on the fly be choosing tables and the grant level (CRUD) and also which fields should be visible. That would be the easy part.

The current implementation without any permissions is to fetch the data with an RESTful API and then create the DOM by javascript. Since the javascript knows what to display on the current page it can grab the properties from the data object or even fetch related data.

But now the returned fields from the API call may be different from user to user. How can i display only the data a user is granted to see?

Example:

In the image below we see the current element only showing the name and description fields. These can the current user edit. There is also a position input to define the ordering of the image but the user has no permission to change that and it is not generated. Initial state, data fetched from API

When we click on "new image" a new row is added with javascript but now the field "position" is visible. After clicking "new image"

The JS code does not now what fields the user can see and what not. How can i control that behavior?

Should i create a new API that will fetch the "structure" of the page based on the current users permission or should i alter the javascript code with php to output only required logic for the current user?

What should be the general approach and is there already something available in cakephp?

Answer 1

my current solution is to make a request to a new endpoint which gives me an empty data object but only with fields visible to the user.

button event -> fetch api/newEmptyObject -> render input fields

the downside is that it adds a delay from user click-event to displaying the input fields.