I was thinking whether it would be a good/acceptable practice to include the permissions in all resources
This way the client will always know what it can do with the resource.
You are really close. In REST, the answer is hypermedia affordances.
Think about the web. How do you, as a client, know what you can do? You look for links and forms in the HTML representation of the resource (well, more precisely, a general purpose client renders a bunch of links and forms for you). If, for whatever reason, you aren't able to proceed along a particular workflow, the links and forms related to that workflow are removed from the representation.
(Note: this is purely "communicate possibilities to the client"; the server still needs to defend itself against inappropriate use).
For example, consider Wikipedia: you navigate to https://en.wikipedia.org/wiki/Hypermedia and at the top of the page is an "edit" link. That tells you how to navigate from the "read" resource to another that supports editing. The editing resource includes a big hypermedia form at the bottom, describing to the general purpose browser how to submit a request with your edits.
Atom SyndicationAtom Syndication and Atom PublishingAtom Publishing achieve a similar result by defining link relations - an RDF triple that describes a relationship between the thing here and something over there. You signal to clients that an affordance is available by including a link to it in the representation.
cat: {
name:string
permissions:[string]
}
You may want to look into the JSON hypermedia standards that are under development, rather than trying to roll your own. SIREN, Hydra, and so on. Kevin Sookocheff discussed choosing among the alternatives, although you may want to look for something more recent than 2014.
