I have included all the properties that the user can not edit as hidden fields, since i am passing a Visit object to my post edit action method,, which looks as follow:-
[HttpPost]
public ActionResult Edit(Visit visit)
{
if (!(visit.Editable(User.Identity.Name)))
{
return View("NotFound");
}
try
{
if (ModelState.IsValid)
{
repository.UpdateVisit(visit);
repository.Save();
return RedirectToAction("Index");
}
}
catch (DbUpdateConcurrencyException ex)
{
var entry = ex.Entries.Single();
var clientValues = (Visit)entry.Entity;
ModelState.AddModelError(string.Empty, "The record you attempted to edit "
+ "was modified by another user after you got the original value. The "
//code goes here
So i am worried about the above approach , since an attacker might modify the hiddenfields values. But on the other hand if i only pass the object ID to the EditPOST action method and then i retrive the object from the back-end , then will
prevent the DbUpdateConcurrencyException from being fired incase the timestamp for the object was chnaged.
So how i can keep my code secure and at the same time being able to manage Concurrency Exceptions?
johnjohn1231...
Participant
922 Points
871 Posts
Security Concern when Editing an object using asp.net MVC model binder
Apr 29, 2012 01:23 AM|LINK
I have an object named Visit with the following properties:-
In the Edit view the user can only edit the following two properties :-
So i have added the other properties that the user cannot edit as hidden fields in my edit view as follow:-
@using (Html.BeginForm()) { @Html.ValidationSummary(true) <fieldset> <legend>Visit</legend> <div class="editor-label"> @Html.LabelFor(model => model.Note) </div> <div class="editor-field"> @Html.EditorFor(model => model.Note) @Html.ValidationMessageFor(model => model.Note) </div> <div class="editor-label"> @Html.LabelFor(model => model.DoctorID) </div> <div class="editor-field"> @Html.DropDownList("DoctorID", String.Empty) @Html.ValidationMessageFor(model => model.DoctorID) </div> <p> @Html.HiddenFor(model => model.VisitTypeID) @Html.HiddenFor(model => model.CreatedBy) @Html.HiddenFor(model => model.Date) @Html.HiddenFor(model => model.VisitID) @Html.HiddenFor(model => model.PatientID) @Html.HiddenFor(model => model.StatusID) @Html.HiddenFor(model => model.timestamp) <input type="submit" value="Create" />I have included all the properties that the user can not edit as hidden fields, since i am passing a Visit object to my post edit action method,, which looks as follow:-
[HttpPost] public ActionResult Edit(Visit visit) { if (!(visit.Editable(User.Identity.Name))) { return View("NotFound"); } try { if (ModelState.IsValid) { repository.UpdateVisit(visit); repository.Save(); return RedirectToAction("Index"); } } catch (DbUpdateConcurrencyException ex) { var entry = ex.Entries.Single(); var clientValues = (Visit)entry.Entity; ModelState.AddModelError(string.Empty, "The record you attempted to edit " + "was modified by another user after you got the original value. The " //code goes hereSo i am worried about the above approach , since an attacker might modify the hiddenfields values. But on the other hand if i only pass the object ID to the EditPOST action method and then i retrive the object from the back-end , then will prevent the DbUpdateConcurrencyException from being fired incase the timestamp for the object was chnaged.
So how i can keep my code secure and at the same time being able to manage Concurrency Exceptions?
BR