JS based on PHP generated by the JS variable a=1 represents a certain kind of action permissions, so safe?

JS based on PHP generated by the JS variable a=1 represents a certain kind of action permissions, so safe?
such as Ajax request backstage some kind of action, get PHP generated by the JS variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

Reply to discussion (solution)

The problem is not big, if you worry about a problem can add some validation.

JS according to PHP generated by the JS variable a=1 that there is some kind of action permissions, so safe?
such as Ajax request backstage some kind of action, get PHP generated by the JS variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

Ajax
Permissions

...... You do not have a problem, many Web site registration is through the Ajax method to return information to the page.
However, I still suggest that there is a certain kind of action when the permission to do the right to judge, after all, JS authentication in the client, who knows there will be God horse problem it.

Why isn't it safe?
Ajax cannot cross domains, so instructions can only come from your own server
If you don't even trust your server, what's the dead end?

If the page forges a global variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

Is this feasible?

Who faked it?

If the page forges a global variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

Who faked it?

Reference 4 Floor nowphp's reply:
If the page forges a global variable var permission=1;
Then the foreground JS according to this permission to perform some kind of operation.

I have less knowledge, I do not know whether the front-end JS will be rewritten by hackers, such as my var a = ' xx '; Can he change my script code to var a = ' yy '; What, if not, then only the hacker made a page to submit the JS variable

But you mentioned above Ajax can not cross the domain I feel relieved, but in fact I Baidu to a lot of Ajax cross-domain submission of related articles, then ask how is it?

can do so.
But "according to this permission to perform some kind of operation", this also needs to do the authority to judge.

After all, the JS client can be modified.

Encrypt decrypt ...

This is an issue that should be considered in data related to security issues. Almost any time we don't trust the data sent back from the client.

