Reputation: 5067
ASP.NET MVC: Prevent user from editing certain fields on the model
I have a model which has several fields which I never want to be editable by the user. How can I create an edit page which not only hides these fields, but also protects against the user injecting the input elements themselves?
Thanks
Upvotes: 3
Views: 3492
Answers (4)
Reputation: 5157
You can prevent fields from being modified by HTTP (aka the user) by adding this at the top of your Model class.
// Exclude Fields from being modified by user
[Bind(Exclude = "ID, Name, other fields you want excluded")]
public class YourModel
Upvotes: 0
Reputation: 388
Rather than implement the Edit action for your base model which enables all fields to be edited, create a separate model that contains only the fields you wanted edited. This ViewModel approach is safer and avoids the problem of having to always specify a list of properties such as in the whitelist / blacklist approach.
See this for more info: How to Preserve/Protect Certain Fields in Edit in ASP.NET MVC
Upvotes: 0
Reputation: 364409
If you don't want fields to be editable why to make them editable in the edit form in the first place? Use two separate view models. One for GET request where you show all necessary data. Read only data will be just text / labels. The second view model will be for POST / PUT request where you pass only data which can be edited.
If for any case you need some data to be round-tripped you can place them to hidden field and use second hidden field with hash. You can get hash like (pseudo-code):
ComputeSHA1(dataValue.ToString() + salt);
The salt is secret value known only to your application. When data round-trip to you your application you will compute hash again (you must use same salt) and compare it with the hash stored in the request. If those two are different the user tried to manipulate those hidden fields.
Upvotes: 1
Reputation: 3952
Take a look at TryUpdateModel() (MSDN article found here.). You can specify a black-list and white-list of what you'd like the method to actually update:
public ActionResult MyUpdateMethod (MyModel myModel)
{
if (ModelState.IsValid)
{
var myDomainModel = new DomainModel ();
if (TryUpdateModel (myDomainModel,
new string[] { /* WhiteList Properties here */ },
new string[] { /* BlackList Properties here */ })
{
// Save it or do whatever
return RedirectToActionV (/* Yada */);
}
}
return View (myModel);
}
}
Along with that, I'd make sure that your posted model doesn't contain the fields that you want the user to update, though that can be overriden with a hand-crafted form post. This will at least help you ensure you're not accidentally putting fields on the page you don't want edited.
Upvotes: 4
Related Questions
- MVC 3 edit view for certain fields only
- How to edit only few fields and disable other fields on my form on MVC?
- How to allow users to only edit their Data
- MVC prevent updating certain fields
- How to avoid certain fields to be updated in model using asp.net mvc 4
- MVC 3, how not to display some Model Columns for editing?
- How to prevent user from modifying some fields on the form?
- Preventing tampering of form fields in ASP.NET MVC EF
- How can i prevent editing a Parent object if it has been assigned to a child object in my asp.net MVc web application
- How to Preserve/Protect Certain Fields in Edit in ASP.NET MVC