angular.js - With the front-end and back-end separation (front-end and back-end mv*), how does the front end handle authorization requirements (authorization logic)?

Question

How does the front-end handle authorization logic when the front-end and back-end are separated (front-end and back-end mv*)?
(mv* may be mvc, mtv, or mvvm, etc.)

Backend:

 BooksController
     indexAction()
     showAction($id)
     editAction($id)
         $book = Book::findOrFail($id);
         $user = Auth::user();
         //授权判断
         if ($user->hasRole/Permission('edit-book')) {
             //$acl->isAllowed($user, $book, 'edit-book')
             .....
             $book->price = Input::get('price');
             $book->save();
             ......
         }
         .......
         
     createAction()
     deleteAction($id)

Back-end controller/action and other operations usually use authorization systems such as acl/rbac to make authorization decisions.

The question is:
How do front-end mv* frameworks like Emberjs, Angularjs, etc. handle the authorization part?
For example, if you are not logged in (browsing user), you will see 10 articles, and if you are logged in, you will see more content.

Way 1) Like the backend, use a separate authorization system/authorization logic to handle this?

Method 2) Put the authorization logic judgment result into the json data and return it to the front end. Can the front end use it directly?

BooksController
    editAction($id){
        ...
        $book = ....;
        $user = Auth::user()/Null//;登陆用户或没有登陆的匿名游客用户；
        // 授权判断, 返回1或者0
        $canEdit = $user->hasPermission('edit-book');
                   $acl->isAllowed($user, $book, 'edit-book');   
        return new JsonResponse([
            'book'=>$book,
            'user'=>$user,
            'can_edit'=>$canEdit,
            ........
        ]);
    }

3) Using Emberjs, a front-end mvc framework that is very similar to the back-end, especially when there is a complete ember-data class ORM component, does the front-end ember-data/model need to be simply mapped with the back-end? Already? How are the authentication and authorization parts of security issues handled?

Answer 1

The projects I have come into contact with use "Method 2) put the authorization logic judgment results into the json data and return it to the front end, and the front end uses it directly?" That is, the back end returns the permissions owned by the user, and then the front end makes the judgment, but I I feel that if this is the case, the security will be reduced. If the return result is tampered with, the front-end permissions will be destroyed, but this is only possible if the rule definition is known.