CODEWITHSUNDEEP
asp.net-mvc
jj.
jj.

Reputation: 11

mvc modelbinding

I have an Edit action/view for my User object, but only want a few fields to be editable.

I've set up the view to bind to the User object, and am using Html.EditorFor() for the few fields that I want to be editable.

I noticed in my User object on Post:

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult EditUser(Mynamespace.User user)
{ }

that only the fields that I provided .EditorFor() controls for actually have any data.
I tried using Html.Hidden(Model.ID) for one of the fields that i didn't want to be editable, but it is null in the new User object created from model binding.

So, my question- How do I bind where only a couple of the fields should be editable?

Thanks!

Upvotes: 1

Views: 180

Answers (3)

G-Wiz
G-Wiz

Reputation: 7426

Ben's answer is largely correct, in that a ViewModel might be more appropriate, and short of that, TryUpdateModel can be used. However, I add that in that case, rather than requiring the domain object to implement a new interface, you use the overload TryUpdateModel<T>(T, string[]), which allows you to whitelist the updateable properties in a string array by name.

Upvotes: 1

tvanfosson
tvanfosson

Reputation: 532665

Are you using the strongly-type helper for the hidden field or is it exactly like you've typed. If you've got it exactly as typed, then the name of the hidden field is the value of the id, not the name of the property on the model (ID). You might want to change it to:

<%= Html.Hidden( "ID" ) %>

or (if using strongly-typed helpers)

<%= Html.HiddenFor( m => m.ID ) %>

Upvotes: 1

Ben Scheirman
Ben Scheirman

Reputation: 41001

It sounds like you probably want to start thinking about using a View Model that is specific to the form/input that you're dealing with. But in the short term, ....

You could bind to a FormCollection parameter instead and copy the values manually, OR...

you can use the TryUpdateModel method to populate this existing user object with the new data.

Here's the documentation for TryUpdateModel: http://msdn.microsoft.com/en-us/library/dd470756.aspx

It's still possible for malicious users to send phony form-values that map to real properties on your model, so to protect against this (like an employee changing his salary property with a simple form hack) you can introduce an interface that contains the white list properties that you allow.

Here's an example:

public interface IUserEditableFields
{
   string Username {get;set;}
   string Email {get;set;} 
}

//... in the controller action

if(TryUpdateModel<IUserEditableFields>(user)) {
   //validation passed
   //only Username and Email were editable
}

This is a good resource on how to do this: http://css.dzone.com/news/aspnet-mvc-think-before-you-bi

Upvotes: 1

Related Questions