The strongly typed editing page in ASP.NET MVC 3 usually provides all the fields for Entity. Although this often works, some fields pose a security risk. For example, a simplified magazine subscription might look like this:
public void Subscription() { public int Id { get; set; } public string Name { get; set; } public string Address { get; set; } public string City { get; set; } public string State { get; set; } public string Zip { get; set; } public DateTime SubscribedThru { get; set; } }
If I provide an โEditโ page so that users can change their own address, for example, the security risk of including the SubscribedThru field, because a knowledgeable and malicious user can provide himself with a free 10-year subscription by faking the date (even if I use @Html.HiddenFor(model => model.SubscribedThru) . Therefore, I do not include this field in any way on the html editing page (via razor).
I thought the answer could be to prevent SubscribedThru from trying to bind to the Edit method in the controller using something like:
[HttpPost] public ActionResult Edit([Bind(Exclude="SubscribedThru")] Subscription subscription) { if (ModelState.IsValid) { db.Entry(subscription).State = EntityState.Modified; db.SaveChanges(); return RedirectToAction("Index"); } } return View(subscription); }
When I get to the line SaveChanges(); , it throws an error The conversion of a datetime2 data type to a datetime data type resulted in an out-of-range value. I believe that the SubscribThru date (right?) Does not exist, and the empty value is less than what SQL Server can handle. It amazes me that he even tries to update this field when I have Binding excluded for him.
So far, my best solution seems to have been to create a custom ViewModel that omits the SubscribThru date, but it looks like multiple field duplication, validation, etc .; if possible, I would just want to make one SubscribedThru field safe for editing by the user.
I canโt say that I fully understand the UpdateModel and TryUpdateModel and wonder if this is a direction to the head? I played with them, and EF throws errors to duplicate objects (the same key), which is bewildering.
Also, I donโt understand if the subscription data from bootstrap in public ActionResult Edit(int id) in the controller to the last method [HttpPost] public ActionResult Edit(Subscription subscription)... or db.Entry(subscription).State = EntityState.Modified; string has db.Entry(subscription).State = EntityState.Modified; will try to install everything (I thought it was just setting a flag labeled "edit-so-EF-should-save-this").
I am a long-time .NET developer, just jumping into my first ASP.NET MVC project, so I probably don't notice anything painful. Thanks for any help!