From the code it seems like your warning comes from doing the redirect too late. redirects should be done, as a rule of thumb, not later then the init action. And after the redirect you should die() (I don’t think the wp_redirect does it for you)
As for security, it is not enough to check that the user is logged-in, you need to check if he has the capability to edit the post, something like if current_user_can('edit_post',$post_id). You need to check it both on the UI side and server side. just because you do not show the ability to the hacker doesn’t mean he will not construct a special HTTP request to change the post if you don’t have protection on the server side.