tags:

views:

232

answers:

2
+3  Q: 

asp.net MVC should a View-Model Encapsulate Domain-Model?

Hi all
I've see a lot of MVC examples where domain-objects are passed directly to views, this will work fine if your view is simple.

The common alternative is to have a view-model which has all the same properties as your domain-model + any extra properties your view may need (such as 'confirmPassword').

Before doing too much reading and before discovering AutoMapper I started creating my own variant of view-model where the domain-object (or multiple domain objects) are simply properties of the view-model.

Have I done a bad thing? What problems or benefits could be derived from this approach? Under what circumstances might this way of doing things work well?

A: 

Bad? Can't use Automapper. ;)

Good? Nothing comes to mind.

I don't think you've done anything horrible. Does it work for you? If so then why not?

jfar  2010-04-08 03:29:57
+3  A: 

There's nothing inherently bad about exposing your domain model directly to the view. The primary risk comes from exposing a property you didn't mean to, like a salary field on an Employee object. Be sure to watch out for this if you're returning JSON.

Another thing to watch out for is when you're binding back from an edit form. You should be aware about the specific risks that are involved. Basically a malicious user could add fields to the POST that happen to match fields that you didn't mean to be editable. I always bind to an intermediary object which is passed into a service before mapping it back to the domain.

Ryan  2010-04-08 04:02:04
This only applies to domain objects that are action parameters; there's nothing insecure about passing them to views.
queen3  2010-04-08 11:34:53
@queen There are two separate concerns. Outgoing: exposing sensitive fields through JSON/XML/whatever. Incoming: malicious form parameters.
Ryan  2010-04-08 21:43:32
I recall someone advocating the viewModel is the SAME type as the Action parameter for postbacks. It seems that approach means you must separate your Domain model completely. (unless it's intended to be entirely open to modification)
Myster  2010-04-11 23:13:25
@Myster There are some people who advocate that. I've actually gone one step further in some complex cases by having separate (but similar) output and input models. Yes this does separate your domain entirely but that is my goal. Isolating the domain makes me think about exactly what the user is going to be doing, plus I only have to put security in one spot, the service layer.
Ryan  2010-04-11 23:43:38

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data