This is a best practice question regarding user permissions on a website. If a user does not have permission to perform certain actions on the page, is it better to
A. Do those security checks before rendering and hide the buttons
B. Go ahead and render the buttons and do the security check when the user clicks the button, and notify them if they do not have permission.
I am leaning towards B for several reasons. Two of those reasons are faster initial load time and also more clear for the user. If they don’t see the button, they might not understand that it’s not there due to security, and that could lead to a support call.
I’d love to hear other opinions on this.
You should always do the security checks just before you do some action, even if the buttons are hidden. Remember that the client can send any HTTP request he want, regardless of what buttons your webpage offers.
But of course it would be useful to check the user permissions when displaying the buttons, too. I think, the best practice is not to hide them, but to “grey them out” or show in another visual way, that a certain action exists but cannot be performed. It would be annoying for the user, if he first have to press the buttons to check out wether they are working.