Javascript isn't a good tool for security, simply because any web user can see your javascript via the 'sources' tab of their developer console, and hack the code from there (that button you disabled can be enabled, for example).
Leaving aside the whole security issue - if you want to enable/disable a function like this, you could do it with an asynchronous call to the server, that changed the value of allowedUpdate for you. But if you aren't already familiar with async functions, then the full answer is probably too long to post here.