@jhimansh described an issue where forced browsing could be used to visit restricted pages as an unprivileged user. As our web application is shipped as client side JavaScript, there is no way to prevent viewing all pages within that code. However, checks are done server-side to ensure that unauthorized changes fail as expected.