I have included all the properties that the user can not edit as hidden fields, since i am passing a Visit object to my post edit action method,, which looks as follow:-
[HttpPost]
public ActionResult Edit(Visit visit)
{
if (!(visit.Editable(User.Identity.Name)))
{
return View("NotFound");
}
try
{
if (ModelState.IsValid)
{
repository.UpdateVisit(visit);
repository.Save();
return RedirectToAction("Index");
}
}
catch (DbUpdateConcurrencyException ex)
{
var entry = ex.Entries.Single();
var clientValues = (Visit)entry.Entity;
ModelState.AddModelError(string.Empty, "The record you attempted to edit "
+ "was modified by another user after you got the original value. The "
//code goes here
So i am worried about the above approach , since an attacker might modify the hiddenfields values. But on the other hand if i only pass the object ID to the EditPOST action method and then i retrive the object from the back-end , then will
prevent the DbUpdateConcurrencyException from being fired incase the timestamp for the object was chnaged.
So how i can keep my code secure and at the same time being able to manage Concurrency Exceptions?
I would suggest having only properties you need on your form and passing them to the edit action along with the id of the record and then just modifying your data using the results example as follows:-
public ActionResult Edit(int id, Model model) /* where model only contains the two fields you want to edit
{
/*get object from db with id
var myobj = Repository.GetById(id)
myobj.EditedField = model.editedfield /* you get the idea
Repository.Save(myobj) /* saving only changes you've made
}
Hope this guides you in the right direction.
If this fixed your issue then please 'Mark as Answer'
This means you are trying to update a primary key field on the object. Are you sure that PatientID is NOT your key because if you try and update your PK you get this sort of error.
Hope thsi helps.
If this fixed your issue then please 'Mark as Answer'
yes the Patient ID is the primary key.. and i am not updating the PK of the object ,, what i am doing is populating the
newly created object "visit" with the model binder values which contains the PatientID field.
So how i can keep my code secure and at the same time being able to manage Concurrency Exceptions?
Hello:)
In my mind,I think you can encypt the values for the hiddenvalue and then when accepting the value from the hiddenfield into the Controller,please decypt it and then assign the decypted values to the new instance again for property one by one.
this will be a good approach to follow atleast a more secure apprahc, but is there an example of how i can encypt and decypt the hidden fields values.. that can helps me in implementing this issue.
johnjohn1231...
Participant
922 Points
871 Posts
Security Concern when Editing an object using asp.net MVC model binder
Apr 29, 2012 01:23 AM|LINK
I have an object named Visit with the following properties:-
In the Edit view the user can only edit the following two properties :-
So i have added the other properties that the user cannot edit as hidden fields in my edit view as follow:-
@using (Html.BeginForm()) { @Html.ValidationSummary(true) <fieldset> <legend>Visit</legend> <div class="editor-label"> @Html.LabelFor(model => model.Note) </div> <div class="editor-field"> @Html.EditorFor(model => model.Note) @Html.ValidationMessageFor(model => model.Note) </div> <div class="editor-label"> @Html.LabelFor(model => model.DoctorID) </div> <div class="editor-field"> @Html.DropDownList("DoctorID", String.Empty) @Html.ValidationMessageFor(model => model.DoctorID) </div> <p> @Html.HiddenFor(model => model.VisitTypeID) @Html.HiddenFor(model => model.CreatedBy) @Html.HiddenFor(model => model.Date) @Html.HiddenFor(model => model.VisitID) @Html.HiddenFor(model => model.PatientID) @Html.HiddenFor(model => model.StatusID) @Html.HiddenFor(model => model.timestamp) <input type="submit" value="Create" />I have included all the properties that the user can not edit as hidden fields, since i am passing a Visit object to my post edit action method,, which looks as follow:-
[HttpPost] public ActionResult Edit(Visit visit) { if (!(visit.Editable(User.Identity.Name))) { return View("NotFound"); } try { if (ModelState.IsValid) { repository.UpdateVisit(visit); repository.Save(); return RedirectToAction("Index"); } } catch (DbUpdateConcurrencyException ex) { var entry = ex.Entries.Single(); var clientValues = (Visit)entry.Entity; ModelState.AddModelError(string.Empty, "The record you attempted to edit " + "was modified by another user after you got the original value. The " //code goes hereSo i am worried about the above approach , since an attacker might modify the hiddenfields values. But on the other hand if i only pass the object ID to the EditPOST action method and then i retrive the object from the back-end , then will prevent the DbUpdateConcurrencyException from being fired incase the timestamp for the object was chnaged.
So how i can keep my code secure and at the same time being able to manage Concurrency Exceptions?
BR
ammd
Participant
1349 Points
257 Posts
Re: Security Concern when Editing an object using asp.net MVC model binder
Apr 29, 2012 04:28 AM|LINK
I would suggest having only properties you need on your form and passing them to the edit action along with the id of the record and then just modifying your data using the results example as follows:-
public ActionResult Edit(int id, Model model) /* where model only contains the two fields you want to edit { /*get object from db with id var myobj = Repository.GetById(id) myobj.EditedField = model.editedfield /* you get the idea Repository.Save(myobj) /* saving only changes you've made }Hope this guides you in the right direction.
johnjohn1231...
Participant
922 Points
871 Posts
Re: Security Concern when Editing an object using asp.net MVC model binder
Apr 29, 2012 08:00 PM|LINK
thanks for the reply; i update my EditPOST action method to:-
[HttpPost] public ActionResult Edit([Bind(Include = "Note,DoctorID,VisitID,StatusID,timestamp")] Visit visit) //[Bind(Include="Note,DoctorID,VisitID,StatusID")] { if ((visit.EditableByAssingedDoctor(User.Identity.Name)) || (visit.EditableByCreatedBy(User.Identity.Name))) { try { if (ModelState.IsValid) { int id = visit.VisitID; var v = repository.GetVisit(id); visit.CreatedBy = v.CreatedBy; visit.Date = v.Date; visit.PatientID = v.PatientID; visit.VisitTypeID = v.VisitTypeID; repository.UpdateVisit(visit); repository.Save(); return RedirectToAction("Index"); } } catch (DbUpdateConcurrencyException ex) { //code goes hereand the repository.UpdateVisit(visit); code looks like:-
public void UpdateVisit(Visit v) { entities.Entry(v).State = EntityState.Modified; }But when i run my application and i try to edit the visit object i got the following error :-
on the repository.UpdateVisit(visit) Method; so what are going wrong? BR
ammd
Participant
1349 Points
257 Posts
Re: Security Concern when Editing an object using asp.net MVC model binder
Apr 30, 2012 04:05 AM|LINK
This means you are trying to update a primary key field on the object. Are you sure that PatientID is NOT your key because if you try and update your PK you get this sort of error.
Hope thsi helps.
johnjohn1231...
Participant
922 Points
871 Posts
Re: Security Concern when Editing an object using asp.net MVC model binder
Apr 30, 2012 03:02 PM|LINK
yes the Patient ID is the primary key.. and i am not updating the PK of the object ,, what i am doing is populating the newly created object "visit" with the model binder values which contains the PatientID field.
Decker Dong ...
All-Star
118619 Points
18779 Posts
Re: Security Concern when Editing an object using asp.net MVC model binder
May 01, 2012 12:42 AM|LINK
Hello:)
In my mind,I think you can encypt the values for the hiddenvalue and then when accepting the value from the hiddenfield into the Controller,please decypt it and then assign the decypted values to the new instance again for property one by one.
johnjohn1231...
Participant
922 Points
871 Posts
Re: Security Concern when Editing an object using asp.net MVC model binder
May 01, 2012 01:19 AM|LINK
this will be a good approach to follow atleast a more secure apprahc, but is there an example of how i can encypt and decypt the hidden fields values.. that can helps me in implementing this issue.
Best Regards
Decker Dong ...
All-Star
118619 Points
18779 Posts
Re: Security Concern when Editing an object using asp.net MVC model binder
May 01, 2012 05:27 AM|LINK
1)In view maybe you can write something like this:
<input type="hidden" id="EntityProperty" value='<%=MyEncypt(Model.PropertyValue)%>'/>
For "MyEncypt",I think you can define in another static class and refer here……。
2)In Controller,when fetching the value,please do decypting。
For encypting and decypting,you can refer this nice sample: http://www.codeproject.com/Articles/5719/Simple-encrypting-and-decrypting-data-in-C