I prefer to make things the user can't interact with completely invisible when possible. You can't hack what you can't see (and I don't mean hidden on the page, I mean the server doesn't generate the code for the things not logged in users can't see).
That said, assuming you need to leave controls visible, but disabled, I would add code in both the front-end and the back-end to do checks. The front-end validation code is susceptible to hacking, but it is nice to have quick validation feedback available for users that are using the system - however, the back-end should be your real fail-safe place to make sure everything is as expected and do final checks before committing changes.
Unfortunately that sometimes means you need to duplicate the effort, but for really important stuff, it is worth it.