[hadriendavid]

How I interpret HATEOAS:

The client knows what and how it can access on the behalf of the authenticated user. Examples:

Representation for a user with no privileges:

    {
        "articles": [{
            "id": 123
            "title": "A title",
            "links": {
                "self": {
                    "href": "http://blog.com/articles/123",
                    "methods": ["GET"]
                }
            }
        }],
        "links": {
            "self": {
                "href": "http://blog.com/articles",
                "methods": ["GET"]
            }
        }
    }

Representation for a user who is authorized to add/edit/delete articles:

    {
        "articles": [{
            "id": 123
            "title": "A title",
            "links": {
                "self": {
                    "href": "http://blog.com/articles/123",
                    "methods": ["GET", "DELETE", "PUT"]
                }
            }
        }],
        "links": {
            "self": {
                "href": "http://blog.com/articles",
                "methods": ["GET", "POST"]
            }
        }
    }

This reduces the authorization logic on the client side.

[ryeguy]

How? At the end of the day you're still writing an "if" statement branching on a piece of data in the response. In a regular api it might be canEdit, here it's the http verb in an array.