Im seeing a lot of my forms having hidden fields to send one or two id's back to the controller. Is this safe? can a user edit this before sending the form and send stuff they should'nt?
No, NOTHING that comes from a browser is secure. Users can edit and change whatever they want.
You must double check everything against the current login stored in the session, since that's the only secure information you have