I have an MVC app that is basically one page with a bunch of AJAX calls that parse returned JSON and then using jQuery will populate the page. So, for example, if I call /API/Users/List it will return some JSON and then I'll parse that and dynamically create an li element for each user. Then, I put an edit link next to each user name and hook it up to do the necessary editing (jQuery with another AJAX call).
What I'm curious about is how I would go about showing/hiding the edit link based upon role. I have a strongly typed view and can populate hidden fields with user info (<input type=hidden name=UserID value=jsmith /> <input type=hidden name=Role value=Admin />), and of course, can always validate the user in the Controller that the edit action posts to, but, I'd like to know if there is a way to ON THE CLIENT verify that the hidden field hasnt been tampered with so that someone doesn't save the file offline, change the hidden field for Role and then now they can see the edit links when they are not supposed to.
In this contrived example, not much harm comes from being able to see the edit links if they cannot do anything, but there are some calls where I pass the role to an API call and it returns data that is flagged as "private" in the database that shouldn't be seen without the correct privileges.
So, basically, the question becomes "is there any way to exchange data between the ASPX page and the JavaScript that then calls the API without it being just stored in a hidden field that could be tampered with?"
Thanks,