Background: The grails application I am developing has a few levels of granular security. First the least granular is at the controller level. Either you can view a specific page or you cannot (I am using the Acegi spring security plugin). The second level of security is in the service layer via an AOP approach. You can either access a certain service method with the passed attributes based on how you relate to that object. The third layer is again in the service layer and again facilitated via AOP which provides advice to the service method, which then restricts or alters what is returned.
The Question
The final level which my question is about is the display level. Some users do not get links to certain pages or are able to view additional information. What is the best way to implement this? Currently I use the security taglib and use ifAnyGranted or ifAllGranted and such directly on my gsp's. There may be need in the future to have more complex privileges. Should this security be pulled back to the controller and then passed on the model such that you could do something like <g:if test="${hasSomeViewRight}"></g:if>?
I feel like both ways are not very terse. Is there a better pattern for this?