For example: Server side is Asp.net MVC, Client side is KnockoutJS.
Or should the MVC Razor syntax selectively output the controls based on the viewmodel?
Traditionally this would all be done server side, however with most databinding now occurring on the client it is mixing concerns by having conditional logic in Razor and KnockoutJS.
It goes without saying that the server validates all postbacks based on permissions, so escalation of privileges is not possible. Its also fair to point out that the concept of "Obscurity is not security" does come into play here. Just because an edit link does not exist does not mean that it isn't obvious for an attacker to attempt yourwebsite/users/edit/1
Often with a Knockout style UI you might make certain links / buttons available based on dynamic client side conditions anyway - and the distinction between what is an actual "security breach" and what is someone cheekily exposing insufficient server guard code and buggering up your application logic by hacking things with Firebug becomes a bit blurred. I would say do what's sensible and is in proportion to the risks / stakes of your specific business context.