keep values of model's unused members during updates

hi,

suppose our model has a property named "CreatedByUserId" that keeps the creator's user id

when we want to update our model, there are no need to display this field, but we should keep it's value during the update.

so, if i don't place any edit field for this property on the view, the model wouldn't have any value for CreatedByUserId property when returns to controller

to solve this, i :

1.place a hidden input in the view for these fields (which is vulnerable)

2.make a Get call to db and get the original CreatedByUserId value on each update (which causes additional round trips to db)

isn't there any better way to do this ?

thanks in advance

Re: keep values of model's unused members during updates

I think you'll find that most people use a hidden field. It isn't ideal, but if you want the data in your controller it has to be in the form somewhere.

Re: keep values of model's unused members during updates

You could also use TempData for this.

Re: keep values of model's unused members during updates

thanks guys,

as i said the hidden field is very vulnerable , a malicious user could simply edit it's value and then make unauthorized changes

TempData cause other issues, because it's not tied to current page, so if the user wants to make several changes in different tabs at the same time then boom!, everything goes wrong

Re: keep values of model's unused members during updates

Very true, TempData has it's drawbacks.

What you could do is make sure that the hiddenfield's contents is hashed in some sort of way, limiting the risc of tampering.

Otherwise, i can't think of any other simple solution to this.

Re: keep values of model's unused members during updates

Stick a [Bind(Exclude = "CreatedByUserId")] attribute on the model type. This will prevent the binder from ever attempting to set that property. (This value will probably be default(TProperty) if you're creating a new object, or it will maintain its original value if you retrieved the model from the DB as part of this action.) When submitting this updated object to your repository, the repository would have to be smart enough to compare the previously stored ID with the current user ID.

If you absolutely need to keep the CreatedByUserId around, you may want to consider sticking it in Session. As long as Session is stored at the server (the default configuration), it's tamper-proof by end users.

Also, MVC Futures also has Html.Serialize() and the [Deserialize] attribute, both of which can be configured to encrypt + sign the serialized contents. See http://blog.maartenballiauw.be/post/2009/10/08/Leveraging-ASPNET-MVC-2-futures-ViewState.aspx for more information. The Sign + Encrypt parameter to these methods prevent inspection of and tampering with the generated data, but the data can still be replayed. (You may also serialize a timestamp in the data to create a window after which replays are invalid, if you wish.)

Re: keep values of model's unused members during updates

sos00
suppose our model has a property named "CreatedByUserId" that keeps the creator's user id

if you are using some sort of FormAuthentication then best will be User.Identity.Name