</snip>
correct -- you are not able to prevent devs from crafting their own requests to servers and attempting operations that are not valid or are possibly harmful. what you can do, however, is make sure the server does not honor those invalid/harmful requests.
<snip>
</snip>
i have no idea what this sentence means.
your scenario includes two diff "personas" or "actors" -- "admin" and "user". these are the "contexts" for requests. for example, context A is "the persona making this request is admin". in your example, it is up to the server to establish this context. a user login is proly the best way to do that.
once the persona is established, your server can enforce whatever context-related workflow or security is appropriate. that can include crafting resource representations that are context-specific (e.g. they only display information valid for that persona, the templates are appropriate for the context, the link collections (for the response and each item) are also appropriate for the context.
and, yes, this is not a Cj-related question -- this problem exists for all web servers. the good news is the solution is the same no matter the representation format -- establish and honor the context of the request.
cheers.