I'm trying to avoid some potential security issues as I expose some a new set of functionality into the real world. This is basically functionality that will allow for a new comment to be added via a partialview on the "Parent" page. My comment needs to know a couple of things, first what record is the comment for and secondly who is making the comment.

I really don't like using a hidden field to store the ID for the Parent record in the add comment form as that can be easily changed with some DOM mods. How should I handle this?

PARENT

<% 
    Html.RenderPartial("AddComment", Model.Comments); 
%>

CHILD

<%@ Control Language="C#" Inherits="System.Web.Mvc.ViewUserControl<CommentsViewModel>" %>
<% using (Html.BeginForm("AddComment", "Requests"))
   {%>
    <fieldset>
        <legend>New Comment</legend>
        <%= Html.HiddenFor(p => p.RequestID) %>
        <%= Html.TextBoxFor(p => p.Text) %>
        &nbsp;
        <input type="submit" value="Add" />
    </fieldset>
<% } %>

CONTROLLER

    [AcceptVerbs(HttpVerbs.Post)]
    public void AddComment(CommentsViewModel commentsModel)
    {
        var user = GetCurrentUser();
        commentsModel.CreatedByID = user.UserID;
        RequestsService.AddComment(commentsModel);
    }