Figure out how to deal with object level permissions

[sergei-maertens]

Currently, the ZAC backend checks object-level permissions (the permissions themselves are managed through authorization profiles/roles).

They are scoped on the zaak.zaaktype and zaak.vertrouwelijkheidaanduiding, mostly.

For collections, the backend (API) can filter out the results that are only relevant for the authenticated user. The same goes for retrieving an object or attempting an action on it - the backend will verify these permissions and throw a HTTP 403 error if the user does not have the appropriate permissions.

However, the frontend needs to know which permissions the user has or doesn't have, in order to be able to properly show the relevant UI controls (.e.g. don't show the "add file" button if the user doesn't have permission for this).

What's the best way to get those permissions from the backend to the frontend?

1. Include them in the JSON response, under a _permissions key? E.g.

       "id": "123",
       "zaaktype": "...",
       "_permissions": {
           "zaakproces:usertasks-uitvoeren": false,
           "zaken:add-documents": true,
           "zaken:toegang-verlenen": false,
       }

2. Have a dedicated endpoint for permission checks: GET /api/permissions?object=https://openzaak.utrechtproeftuin.nl/...&objectType=zaak. Possibly this could include a detail-resource to check a single permission, and might be more suited to the component approach where each component checks its own permission(s).

3. Communicate the permissions through headers as to not polute the response body? This can get unwieldly though, and header parsing isn't particularly fun. It also doesn't account for getting the permissions for each object in a collection of objects.

4. Any other options?