Hey folks

Came here to ask a question. I am doing a next.js project where I will have users that have perms and a role. I have Lucia and lucia's getUser function that checks and validates all the sessions and other things and returns a user if everything's fine. Every user will have the role, some IDs and a permissions array, with perms like 'canSeeX'. I am thinking about using zustand for global state management so upon logging in and validating the user, I could set a global state with the role, ID and the perms to easily show and hide certain things. For example if the user has no admin role, I would hide buttons like admin panel based on the state and user object. I validate the user anyways on the server side each time they do something so I think it should be a safe solution, even if somebody was nosy it won't hurt if they enter /admin route manually since they won't get anything from the DB.

Is this a valid approach, or did I get it completely wrong?