I have permissions in my actual script already. Say that I am User #27, someone could send a post to the ajax page using userID of 27. Say User #27 has permission to do the requested action, the forged post could perform the action even though user #27 isn't actually logged in.