If I hide the delete button, is the action safe?
Hiding a button is convenience, not protection. Anyone can call the API directly, so the server has to check every permission too.
Hiding a button does not block the request
Hiding the delete button only takes it off the screen. The endpoint behind it is still live, and anyone can hit it directly with curl or the browser network tab. Gating on the client is a UX choice, not a security boundary.
Enforce every permission on the server
The server is where the boundary actually lives. Each endpoint, server action, and route handler should re-check the caller's role before it does anything. The client check decides what to show. The server check decides what really happens.
Client gating is UX. The server is the real boundary, so re-check every permission there.
Additional Resources
Explore these carefully curated resources to deepen your understanding and practice the concepts covered in this lesson.

