suppose our model has a property named "CreatedByUserId" that keeps the creator's user id
when we want to update our model, there are no need to display this field, but we should keep it's value during the update.
so, if i don't place any edit field for this property on the view, the model wouldn't have any value for CreatedByUserId property when returns to controller
to solve this, i :
1.place a hidden input in the view for these fields (which is vulnerable)
or
2.make a Get call to db and get the original CreatedByUserId value on each update (which causes additional round trips to db)
I think you'll find that most people use a hidden field. It isn't ideal, but if you want the data in your controller it has to be in the form somewhere.
as i said the hidden field is very vulnerable , a malicious user could simply edit it's value and then make unauthorized changes
TempData cause other issues, because it's not tied to current page, so if the user wants to make several changes in different tabs at the same time then boom!, everything goes wrong
Stick a [Bind(Exclude = "CreatedByUserId")] attribute on the model type. This will prevent the binder from ever attempting to set that property. (This value will probably be default(TProperty) if you're creating a new object, or it will maintain its original
value if you retrieved the model from the DB as part of this action.) When submitting this updated object to your repository, the repository would have to be smart enough to compare the previously stored ID with the current user ID.
If you absolutely need to keep the CreatedByUserId around, you may want to consider sticking it in Session. As long as Session is stored at the server (the default configuration), it's tamper-proof by end users.
Also, MVC Futures also has Html.Serialize() and the [Deserialize] attribute, both of which can be configured to encrypt + sign the serialized contents. See
http://blog.maartenballiauw.be/post/2009/10/08/Leveraging-ASPNET-MVC-2-futures-ViewState.aspx for more information. The Sign + Encrypt parameter to these methods prevent inspection of and tampering with the generated data, but the data can still be replayed.
(You may also serialize a timestamp in the data to create a window after which replays are invalid, if you wish.)
Marked as answer by sos00 on Apr 04, 2010 06:16 PM
suppose our model has a property named "CreatedByUserId" that keeps the creator's user id
if you are using some sort of FormAuthentication then best will be User.Identity.Name
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
sos00
Member
442 Points
95 Posts
keep values of model's unused members during updates
Apr 02, 2010 11:32 AM|LINK
hi,
suppose our model has a property named "CreatedByUserId" that keeps the creator's user id
when we want to update our model, there are no need to display this field, but we should keep it's value during the update.
so, if i don't place any edit field for this property on the view, the model wouldn't have any value for CreatedByUserId property when returns to controller
to solve this, i :
1.place a hidden input in the view for these fields (which is vulnerable)
or
2.make a Get call to db and get the original CreatedByUserId value on each update (which causes additional round trips to db)
isn't there any better way to do this ?
thanks in advance
SethMW
Member
84 Points
30 Posts
Re: keep values of model's unused members during updates
Apr 02, 2010 12:21 PM|LINK
I think you'll find that most people use a hidden field. It isn't ideal, but if you want the data in your controller it has to be in the form somewhere.
avsomeren
Member
185 Points
41 Posts
Re: keep values of model's unused members during updates
Apr 02, 2010 12:26 PM|LINK
You could also use TempData for this.
sos00
Member
442 Points
95 Posts
Re: keep values of model's unused members during updates
Apr 02, 2010 12:54 PM|LINK
thanks guys,
as i said the hidden field is very vulnerable , a malicious user could simply edit it's value and then make unauthorized changes
TempData cause other issues, because it's not tied to current page, so if the user wants to make several changes in different tabs at the same time then boom!, everything goes wrong
avsomeren
Member
185 Points
41 Posts
Re: keep values of model's unused members during updates
Apr 02, 2010 12:59 PM|LINK
Very true, TempData has it's drawbacks.
What you could do is make sure that the hiddenfield's contents is hashed in some sort of way, limiting the risc of tampering.
Otherwise, i can't think of any other simple solution to this.
levib
Star
7702 Points
1099 Posts
Microsoft
Re: keep values of model's unused members during updates
Apr 02, 2010 05:02 PM|LINK
Stick a [Bind(Exclude = "CreatedByUserId")] attribute on the model type. This will prevent the binder from ever attempting to set that property. (This value will probably be default(TProperty) if you're creating a new object, or it will maintain its original value if you retrieved the model from the DB as part of this action.) When submitting this updated object to your repository, the repository would have to be smart enough to compare the previously stored ID with the current user ID.
If you absolutely need to keep the CreatedByUserId around, you may want to consider sticking it in Session. As long as Session is stored at the server (the default configuration), it's tamper-proof by end users.
Also, MVC Futures also has Html.Serialize() and the [Deserialize] attribute, both of which can be configured to encrypt + sign the serialized contents. See http://blog.maartenballiauw.be/post/2009/10/08/Leveraging-ASPNET-MVC-2-futures-ViewState.aspx for more information. The Sign + Encrypt parameter to these methods prevent inspection of and tampering with the generated data, but the data can still be replayed. (You may also serialize a timestamp in the data to create a window after which replays are invalid, if you wish.)
imran_ku07
All-Star
45864 Points
7713 Posts
MVP
Re: keep values of model's unused members during updates
Apr 02, 2010 05:41 PM|LINK
if you are using some sort of FormAuthentication then best will be User.Identity.Name
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD