I don't understand [Bind (Exclude = "ID")] in MVC

I'm really confused about this ... still.

I asked a similar question before, but now I will ask even easier.

I see this in many samples and tutorials. How could you put [Bind (Exclude = "ID")] on the entire Model and expect to Edit on the Model? If you get all the properties of the model on POST, but not the ID, then how do you know which ID to change?

Even if I use ViewModels ... I probably create them without IDs. So in this case ... also ... how do you know which id was updated in Edit?

Yes, I understand there is a safety element for this. People can grab the ID ... so we need people not to update the value during POST. But ... what is the correct way to handle rights? What's a common practice?

It seems to me that I am missing something VERY trivial.


source to share

2 answers

In requests, MVC is handled by the model nexus when the client makes a request. If you include models on controllers, then as far as I know you really need to specify the model you want to bind with by prefixing your arguments with the model name (unless you only have one argument, which is the model)



Now, in some cases, you may need to exclude certain properties due to the fact that they are associated with them, as they pose a security risk with which you seem to be happy with the concept. We will exclude the identifier on the model, preventing any client request from publishing this value in plain text.

Now why can we exclude the whole model? Well, not all controller arguments are pre-processed by the model binder. For example, RedirectToAction does not go through the model binder, so in this case it is possible to create a new model in the POST controller action and redirect to the GET controller action by going through the sanitized model. This model cannot be filled by the client, but we can fill it ourselves on the server side.

The only time I bind to a model is when I have a view model and an associated editor for that model. This makes it easy to introduce a common editor to the page and encapsulate these properties. If you need to exclude certain properties from binding, I would say that you are doing it wrong.


After your comments, I think I can understand why you might be confused. The model binding element prevents the client from ever setting a model property. If you need this property in order to perform your update, you simply cannot exclude it. Then this means that the user can send any identifier. In this case, you must ensure that the user has permission to modify any objects or database records associated with this identifier before servicing the requested update. Argument validation is a manual process . You can use data annotations to validate the input, but this is unlikely to help very much with access permissions. This is something that you should manually check at some point.



You know the ID because it is passed to you through the page address. So:



Will populate your ID with a parameter 20

. If it is used in POST (i.e. Information is being populated), just manually fill in the ID field and pass it to the database controller in whatever way you designed.

This is also immune to (trivial) hijacks, because if they were to write another id besides 20, they won't update the user with id 20 now? :)



All Articles