Business logic does NOT belong on the client side!
First of all, anything sent to the client can be seen by the client. If the data is sent in a way such that Internet Explorer or Firefox can understand what to do with it, it can be seen and understood by a capable analyst. If this logic is your secret sauce, than you absolutely should not just give it away to every GET received on port 80.
Secondly, the security implications could be huge if any of the data sent back to the server is trusted. Since this person is putting their logic in client side code, it would not surprise me to find out that the server side code trusts the data it receives from the business logic without checking for valid values, length, etc. By using a simple program such as Paros Proxy it is possible for a malicious end user to intercept and modify all values both incoming and outgoing. A capable user could set the results of the business logic to be whatever value they wanted, skipping all of the client side data validation techniques.
Finally, the big picture that is painted by this little example is that an application, especially a web application, should never trust ANY input from the client. Client side validation is considerate for the end user, but does nothing in terms of securing the site. All data to be processed by the application needs to be validated and cleansed on the server side. This even goes so far as to validate HTTP Header fields if they are to be used. There is nothing stopping a person from changing any value in the HTTP section of the packet to any other arbitrary value. As would hopefully be the norm, always validate against a whitelist whenever possible. It’s much safe to know exactly what type of information you’re expecting rather than trying to guess to next malicious value the attackers will discover.
So remember, don’t trust client data, and validate, validate, validate!