Since you need to GET the resource from the server anyway, why not use that same request to check if the currently logged-in user can perform C.R.U.D actions on that resource. You then return allowed actions alongside the resource. Depended on what allowed actions you return, you can render the components.