Secure post through javascript

[Manol]

Hello.

    I've got a json file which I send with $http post to a processwire page, then this page saves the data under a page in the processwire tree.

As an example:

file.json

{ 'user': 'manol' , 'email': 'my@mail.com' , .... }

$http({url: '/web-service/save-json-to-page/', method: "POST", data: file.json } )

  
  function getPost(){
    $request = file_get_contents('php://input');
    return json_decode($request,true);
  }
  $getPost = getPost();

  $user = $getPost['user']; 
  $email = $getPost['email'];

  save under some page

Now I check if the user has the right role to do it but I feel that is really insecure using js and php together. 

How can I secure that so only granted users are able to save the data, CSRF, other options?.

[diogo]

I'm not an expert in this, but you can have a hidden field in that form with a random number or string generated with PHP only for the logged in user, store in in a session and check for it when the form is submitted.

edit: in your case it's not a form, but you can still pass some info to the page, that can be sent back to server together with the file.