Entity-Record Security
Its work fine but when user change 'ProductDTO.Property1' field name to 'ProductDTO.Property2' - via firebug, DTO's Property2 setting as client request. In the meantime, I'm not wondering about DTOs but when i map an entity to page for editing, client can change db records.
I want to protect some properties with role. Users cannot change but admins can
eg. Have any solution like this;
[Secure(Role="Admin")]
public string Property2 { get; set; }
DTO:
public class ProductDTO
{
public string Property1 { get; set; }
public string Property2 { get; set; }
}
In aspx:
<%@ Control Language="C#" AutoEventWireup="true" Inherits="System.Web.Mvc.ViewUserControl<CmTest.Web.Controllers.ProductController.ProductFormViewModel>" %>
<% using (Html.BeginForm()) { %>
<%= Html.AntiForgeryToken() %>
<label for="Product_Property1">Property1:</label>
<div>
<%= Html.TextBox("ProductDTO.Property1", (ViewData.Model.ProductDTO != null) ? ViewData.Model.ProductDTO.Property1 : "")%>
</div>
<% } %>
Controller:
[Transaction]
public ActionResult Edit(int id)
{
ProductFormViewModel viewModel = ProductFormViewModel.CreateProductFormViewModel();
viewModel.ProductDTO = productRepository.GetDTO(id);
return View(viewModel);
}
[ValidateAntiForgeryToken]
[Transaction]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Edit(ProductDTO productDTO)
{
//debugging
}
public class ProductFormViewModel
{
private ProductFormViewModel() { }
public static ProductFormViewModel CreateProductFormViewModel()
{
ProductFormViewModel viewModel = new ProductFormViewModel();
return viewModel;
}
public Pr开发者_如何学运维oductDTO ProductDTO { get; internal set; }
}
I hardly understand what you are asking but if you are worried about mass assignment you could exclude Property2 from binding:
public ActionResult Edit([Bind(Exclude = "Property2")]ProductDTO productDTO)
or even better use Include
to make a white-list of bindable properties.
精彩评论