I currently work on a timesheet portal. One of the features is that as employees are submitting requests an email is sent out to the supervisor that lets the supervisor see that they have a request to approve. In this email is a link to the request that the supervisor can click on to take them to the link.
Currently it looks like this.

http://timeportal.fake/viewrequest.aspx?ID=555&RequestType=2&Role=5

The problem with this system the way it was written is that with the information that is given a user could manipulate the system to allow them to approve one of their own requests as their supervisor. While this has yet to happen, I want to prevent this from happening. Is there a way to create the link without giving away all the information? When you login currently the system keeps all the info in a session. But when you try and follow the link the system would take you to the request page as an employee, when it should be supervisor. This confuses the user and they logout and back in going through the menus to get to the requests and in the right state.

At this point I would rather just have them goto the main menu, but that does not seem to be an option that everyone can be happy with. What other options could we try?