I have an ASP.NET MVC application that is calendar-like. As per the NerdDinner example, I'm updating the results of my edit page using UpdateMethod()
In my app, certain events are fully customizable and certain ones are only partially customizable. Even though the edit form for editing the partially customizable events only have those fields available, obviously someone could create their own form with the missing data and post to my site. If they do so, what's to keep someone from changing any/all fields? Worse, what if they tried to change the id (primary key)?
It feels like UpdateModel() is vulnerable to very basic hacking. Are my fears legitimate or is there something I'm missing?
// POST: /MyEvents/Edit/2
[AcceptVerbs(HttpVerbs.Post), Authorize]
public ActionResult Edit(int id, FormCollection formValues)
{
MyEvent myevent = eventRepository.GetMyEvent(id);
try
{
UpdateModel(myevent);
eventRepository.Save();
return RedirectToAction("Details", new { id = myevent.MyEventId });
}
catch
{
ModelState.AddRuleViolations(myevent.GetRuleViolations());
return View(new MyEventFormViewModel(myevent));
}
}