Hello Paul, that’s a good question. Disclaimer: this is not the most elegant implementation, and will change in the future (don’t hold your breath though).
As you know, projects help set and track read/write permissions on the streams they contain. Nevertheless, projects themselves are a resource, so an end user can have read/write access on the project itself. Hence, there’s two separate fields tracking these relationships.
canWrite at the root of a project resource specify who can read or write that project. If a user needs write access to be able to add streams to that project.
permissions.canWrite relate to the permissions users are granted on the streams in the project.
I recently refurbed the way the web app shows things, it might clarify what’s going on:
Hope this helps.