This should be enforced by the backend, why should you ever trust the client to tell you what access you have?