Web applications need understand what permissions are granted to a current user in two key areas.
- When enforcing the permission server side (e.g returning
403when trying to access a resource outside of one's graph) - When rendering the user interface, so as not to render misleading controls (e.g "Edit this Widget", if the user lacks the appropriate permissions.
Further, in many applications in the wild (for better, or worse, perhaps I need new friends and colleagues) I've seen ways implementd to nerf or flat-out disable authorisation controls. In addition to the regular graph-based authorisation flow, the concept of super users is prevelant, and dangerous.