it seems there are 2 options when dealing with security permissions for views in mvc:
am i missing any other options here? the first seems ridiculously un-DRY and the second seems to contradict the definition of a view...
so my question is: is there a better way?
I disagree with the idea that (2) contradicts the idea of a view. Rendering or not rendering a particular component of a view dependent on data received from the controller seems perfectly appropriate to me. Whether you choose to require the data to be in the model or if it can be used from other server resources depends, I think, on how pedantic you want to be. I choose rather to be pragmatic and simply use what is provided rather than fabricate a new model just to hold role-related information so in some circumstances (link my menu control) I simply do the role checking in the view logic.
It's important to remember that MVC is a pattern -- not a dictum. Where the pattern seems to work against you, it's okay to bend it a little. Likewise, DRY is a principle not a law. If it seems best to repeat a little code to accomplish a purpose better, go ahead and repeat it. Understand that you're creating maintenance issues for yourself, but don't let rigid adherence to a principle keep you from doing the "right thing."