You need to think that the the ajaxServer.php page is just like any other PHP page. Just because you use JavaScript to get the response, rather than a normal browser request, does not make the security arrangements any different.

In your example above, you would certainly need to check that the person requesting the page is authorised to delete items - like you would for a 'normal' PHP page doing the same job.