For example:
Server side is Asp.net MVC,
Client side is KnockoutJS.
From a security and standards perspective:
Is it acceptable for the server to output an edit link and the client side code then set the visibility of the control based on javascript viewmodel property such as “HasEditPermission”?
Or should the MVC Razor syntax selectively output the controls based on the viewmodel?
Traditionally this would all be done server side, however with most databinding now occurring on the client it is mixing concerns by having conditional logic in Razor and KnockoutJS.
It goes without saying that the server validates all postbacks based on permissions, so escalation of privileges is not possible. Its also fair to point out that the concept of “Obscurity is not security” does come into play here. Just because an edit link does not exist does not mean that it isn’t obvious for an attacker to attempt yourwebsite/users/edit/1
My pragmatic take on this is that if you can output conditional Knockout view models and data binding expressions etc via Razor at page generation time in a fairly clean way without too many hacks and design tradeoffs, then do so. But so long as you are not stashing security related data in your Javascript or the DOM (passwords, secret tokens etc) then I wouldn’t lose too much sleep over using client side logic to decide whether to make something like an Edit link visible or not. As you say, anyone can modify an existing URL which they have been given rightful access to anyway – which is why the resource itself does the appropriate checks when requested.
Often with a Knockout style UI you might make certain links / buttons available based on dynamic client side conditions anyway – and the distinction between what is an actual “security breach” and what is someone cheekily exposing insufficient server guard code and buggering up your application logic by hacking things with Firebug becomes a bit blurred. I would say do what’s sensible and is in proportion to the risks / stakes of your specific business context.