I have a form with about 30 fields on it. Depending on who you are, you may only have access to edit a few of those fields. I’m currently binding the model to a public variable but, as you may guess, that means all the data is out in the DOM. Is there any clever ways I’m not thinking of to hide certain attributes? The best one I’ve come up with is to copy all the attributes into a new object checking for the permission needed for each one, then copying them back after validation. It works, sure, just trying to think of something more elegant.
I would put the emphasis on the save operation. Only save the attributes that the user is allowed to save. If they tinker with the network request and change the values of fields they have no rights for, then you will just ignore what they sent.