Im seeing a lot of my forms having hidden fields to send one or two
id’s back to the controller. Is this safe? can a user edit this before
sending the form and send stuff they should’nt?
No, NOTHING that comes from a browser is secure.
Users can edit and change whatever they want.
You must double check everything against the current login
stored in the session, since that’s the only secure information
you have