I haven’t read it detail, but I don’t think it applies directly to Xojo. Some of the high level concepts will apply, but the implementation will be completely different. Your Xojo code allows you to hand-craft the page and it’s contents. It doesn’t need to rely on javascript to enforce permissions. That all happens before the page is ever sent to the user’s browser.
Everything that happens in your Xojo code happens server-side. The browser is just a display tool. (Gross oversimplification)
When your login page executes (server side), it will decide what permissions to grant to the user. It will store that information in the Session (server side) and then redirect to the dashboard page.
The dashboard will read the permissions info from the Session and configure itself accordingly. (still server side) Then the appropriate version of the page will be sent to the browser. Most user interaction with the page will trigger a Xojo event, which again runs server side. That gives you another chance to verify permissions and act accordingly.