if you render your page with JS and need to implement a security feature, it comes down to something such as this:
var userID = getUserID();
if (userID == 1) {
html += renderDeleteButton();
}
But won't the user be able to just open the debugger and change the value of userID ?
Yes they will. With JS, the user can do whatever the heck they want. This is why security stuff should go in your server-side code (PHP / ASP / etc.), as users cannot modify it.
Do not trust anything from a client side script like JS. All client side scripts can be manipulated by the user. Any secure type of code should reside in a server side script.
Validation/security checks in javascript are always only done to save the user the time of a trip to the server and back. They are strictly for performance only.
If you want actual security, it must be implemented on the server.
