Your server code should always validate whether a user has the right to perform a certain operation, be it delete or add or update or whatever. Any session cookies are transported with the Ajax call as well so use those to check the user is (don't forget that session cookies can be hijacked as well so in critical applications bind them to an IP address server side).
Edit: other method You can also generate a one time token on the server and have the Ajax call transmit that as well as one of the arguments. On the server you have to keep track of those tokens and only allow actions with a valid token. Valid van be: generated less than x minutes ago on the same IP address.