Quote:
Hiding the ID from the user won't prevent him from guessing an ID and updating it anyway. If your app relies on hidden information for its security, it's not secure.
+1
There are many products out there that let users hack into the http request/response data and do all kinds of things to it. The only way to truly secure your system is to verify the user is who he says he is (authenticate), and then use role-based or business-rule-based logic to determine whether the user actually has the authority to do what he's requesting to do (authorize).