The perm check should be there, certainly. An additional and fast way to add more security is to sign and validate the user_id, which is supported directly in ad_page_contract.
Your ad_page_contract idea's interesting but I think in this particular case the two steps described above would be sufficient and don't require an extra trip to the database.
