The simple solution for what you want to achieve is document/field level security, which is part of X-Pack. Other than that maybe filter the button out of your nginx or remove it from disk, this way they can't see it. It's not perfect, but it's not a supported behavior.