属性[绑定(不包括="")在张贴未能prevent [英] Attribute [Bind(Exclude="")] fails to prevent over-posting
问题描述
什么是prevent的最佳途径MVC 4比张贴?
What is the best way to prevent MVC 4 over-posting?
据MS人士透露,[绑定]属性应该是prevent最简单的方法在张贴由preventing进来的表单值从做它的数据库。与MVC&放大器的最新版本; EF这似乎并不能按预期工作/广告,除非我失去了一些东西重要。
According to MS sources, the [Bind] attribute is supposed to be the easiest way to prevent over-posting by preventing incoming form values from making it to the database. With the latest version of MVC & EF this does not seem to be working as expected/advertised, unless I'm missing something major.
从的 Wrox的专业ASP.NET MVC 4 的(乔恩·加洛韦的第7章),下面的类应该prevent过发帖:
From Wrox Professional ASP.NET MVC 4 (Jon Galloway's Chapter 7), the following class should prevent over-posting:
[Bind(Exclude="IsAdmin")]
public class User
{
public int ID { get; set; }
public string FirstName { get; set; }
public bool IsAdmin { get; set; }
}
但是,所有的[绑定]属性不为prevent绑定到模型中的表单提交值。该模型则具有空白/默认值,它被写回到数据库中。在这种情况下,它会确保你打电话采用这种模式.SaveChanges()的IsAdmin = FALSE每次。任何真值将被覆盖。这是一个巨大的安全故障。
But all the [Bind] attribute does is prevent the form submission values from binding to the model. The model then has a blank/default value, which is written back to the database. In this case, it would ensure that IsAdmin = false EVERY TIME you call .SaveChanges() using this model. Any "true" values are overwritten. That's a HUGE security failure.
替代语法 - 把[绑定]在编辑器操作参数 - 不完全一样的东西:
The alternate syntax - placing [Bind] in the Edit controller action parameter - does the exact same thing:
public ActionResult Edit([Bind(Exclude = "IsAdmin")] User user)
当所有.SaveChanges()被称为真值会被覆盖,矛盾的话题K.斯科特·艾伦的博客文章:<一href=\"http://odeto$c$c.com/blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx\" rel=\"nofollow\">http://odeto$c$c.com/blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx
唯一的选择似乎是专用的ViewModels所有Automapper接线带来的混乱。虽然安全,这似乎是一个巨大的头痛,尤其是:
The only alternative seems to be a flurry of dedicated ViewModels all wired up with Automapper. While secure, that seems like a MASSIVE headache, especially as:
- 您可能对创建,编辑,索引和详细的行动不同的要求,需要不同的ViewModels
- 您可能需要公开一些只读字段(如CreatedBy上的编辑动作)不能对属性[只读]属性,因为它们是由创建行动更新
我知道有人会说,你应该的从不绑定数据模型的观点,但是这是默认模板行为和方式,它的显示在几乎所有的文件作出回应。除此之外,MVC + EF应该使生活的更容易的,不是的困难的,和有线与AutoMapper模型视图类的海洋是不是我考虑的更容易。
I know that somebody is going to respond by saying you should never bind data models to views, but that is the default template behavior and the way it's shown in nearly all documentation. And besides, MVC + EF was supposed to make life easier, not harder, and an ocean of ModelView classes wired up with AutoMapper is not what I consider easier.
所以,没有任何人知道如何使[绑定]功能为标榜?
So does anybody know how to make [Bind] function as advertised?
推荐答案
我想你可能已经在Wrox的书在这个场合误导。你描述的是绑定的预期的行为/排除特性。见<一href=\"http://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute.exclude(v=vs.108).aspx\">http://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute.exclude(v=vs.108).aspx.
I think you may have mislead by the Wrox book on this occasion. What you describe is the intended behaviour of the Bind/Exclude property. See http://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute.exclude(v=vs.108).aspx.
如果您不希望值绑定到你的模型的每个属性,我相信是的ViewModels他们的路要走,即使你正确地指出他们是架空的东西。然而,使用它们的优点是显著,和国际海事组织在这种背景下,证明额外的开发工作。例如:
If you do not want to bind values to every property on your model, I believe that ViewModels are they way to go, even though as you rightly point out they are something of an overhead. Nevertheless, the advantages of using them are significant, and IMO in this sort of context, justify the extra development work. For example:
- 允许部分实体更新
- 从多个实体presenting数据
- 从域模型解耦UI,让你改变标签,验证规则,错误消息
Automapper是从实体做的映射,查看模型一个选项,但如果您使用的是延迟加载,要小心了。我发现Automapper不处理我希望的方式更新EF代理类。最后,我删除AM和一个基于IMappable接口和一个通用的工具类上推出我自己的映射机制。在许多情况下,它没有更多的code键入要做到这一点,而不是配置Automapper。
Automapper is one option for doing the mapping from the entity to view models, but if you are using Lazy Loading, beware. I discovered Automapper doesn't handle updates to EF Proxy classes in the way I hoped. In the end I removed AM and rolled my own mapping mechanism based on an IMappable interface and a generic utility class. In many cases it's not much more code to type to do that than to configure Automapper.
这篇关于属性[绑定(不包括=&QUOT;&QUOT;)在张贴未能prevent的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
