I have a page where users can view jokes based on categories and sub-categories they are allowed to view. Then based on what category they pick, they can choose sub-categories and based on that, a list of jokes will appear.

First I have a page with a form with two select boxes, the first select box is populated on page load with a list of all the categories that user is allowed to select from based on their user role (there are restricted categories the user is not permitted to see). When the user picks a category from the first select box, a request is sent to the server via this jQuery plugin (remote version): which returns JSON formatted data that populates the second select box depending on what category was picked. My problem is, what is stopping the user from editing the client side ID from the select box and gaining access to restricted content? For example: If the user is permitted to view categories with ID 1, 2 and 3 with 4 and 5 being restricted, what is stopping them from changing the JavaScript or select box IDs so that it requests ID 4 or 5 content?