Proposal: add "permissions" to response objects
For each object returned by the API, add a "permissions" property that describes the actions (e.g. "edit") that the current user is allowed to take on this object.
This might not be a good idea for various reasons (e.g. keeping the permissions data on the client up-to-date when a related item is updated), but it's worth considering.