Should a RESTful representation depend on user permissions?
Yes.
I don't think it is RESTful when authorization infiltrates into the representations of resources. The identity of the current user is strictly client state, so it should not effect on the representation of a resource except if identification factors or user id or permission details is sent with the request.
It is client state, but you can send it with every message, so it does not violate the stateless constraint.
Is it possible to use sessions and separate the stateful part from the service?
Server side sessions are not allowed because they would violate the stateless constraint.