How to prevent hacking if users change html/javascript variables on client side?

Question

Using a simple tool like FireBug, anyone can change javascript parameters on the client side. If anyone take time and study your application for a while, they can learn how to change JS parameters resulting in hacking your site.

For example, a simple user can delete entities which they see but are not allowed to change. I know a good developer must check everything on server side, but this means more overhead, you must do checks with data from a DB first, in order to validate the request. This takes a lot of time, for every action someone must validate it, and can only do this by fetching the needed data from DB.

What would you do to minimize hacking in that case?

A more simple way to validate is to add another parameter for every javascript function, this parameter must be a signature between previous parameters and a secret key.

How good sounds the solution above to you?

Our team use teamworkpm.net to organize our work. I just discovered that I can edit someone else tasks by changing a javascript function (which initially edit my own tasks).

Answer 1

when every function call to server, in server side before you do the action , you need to check if this user is allowed to do this action.

It is necessary to build server-side permissions mechanism to prevent unwanted actions, you may want to define groups of users, not individual user level, it makes it easier.