ansaurus

Question

How to whitelist/blacklist child object fields in the ModelBinder/UpdateModel method?

Answer 1

+1 A:

I have worked around this problem by making the action accepting two objects (the parent and the child object)

Example:
Suppose we have the following model:

 public class Employee
    {
        public string Name { get; set; }
        public int Age { get; set; }
        public Company Comapany { get; set; }
    }
    public class Company
    {
        public int Phone { get; set; }
    }

You build your form like this:

    <form action="Home/Create" method="post">
   <label for="Employee.Name">Name</label>
    <%=Html.TextBox("Employee.Name") %><br />
   <label for="Employee.Name">Age</label>    
    <%=Html.TextBox("Employee.Age") %><br />
   <label for="Employee.Name">Comapany Phone</label>    
    <%=Html.TextBox("Company.Phone") %><br />
    <input type="submit" value="Send" />
   </form>

Then build a "Create" action that accept two objects one of type Employee and the other of type Comapny and assign the Company object to the Employee.Company property inside the action:

 public ActionResult Create(Employee employee,Company company)
        {
            employee.Comapany = company;
            UpdateModel(employee);
            return View();
        }

I hope this help you.

Edit:

public ActionResult Create(Employee employee,Company company)
{
   employee.Comapany = company;
   UpdateModel(employee,new[] {"Name","Email","Phone"});
   return View();
}

Marwan Aouida 2009-06-05 21:58:03

Thank you for your reply. However, I'm not having any problems binding the model: my problem is trying to restrict what in the model gets bound. It seems that in your example, without supplying either a whitelist or blacklist (or other equivalent) to the UpdateModel method, someone could still set Company.IsPremiumMember by injecting this into their form post.

Funka 2009-06-06 00:34:22

Then the solution is to pass the list of properties you want to include to the UpdateModel method.I will update my answer

Marwan Aouida 2009-06-06 02:05:27

I added an addendum to my original post. (See especially the last line.) The problem more appropriately seems like an "all or nothing" on the Company property...

Funka 2009-06-06 06:57:40

A minor point, but in the form example above, the text boxes id attibutes will be rendered with underscores instead of a periods, so the label for tags need to be modified accordingly. ex: <label for="Employee_Name">Name</label>

James H 2009-06-07 05:45:23

Thank you Marwan, I do see that your latest edit does technically accomplish what I'm looking for. Since I have about eight or nine objects (all as children of the Company) however, it does not seem very appealing to have to account for all of these in such a manner. The solution I came up with seems, in my case, to allow me to only have to deal with one white list and one "UpdateModel" call, and can also avoid having to "re-attach" all of my objects afterwards. I'll also be able to re-use my own whitelisting technique on the rest of the pages I still have left to build! Thanks again!

Funka 2009-06-08 19:15:36

btw your input names are wrong, the should match the parameter name, not the type i.e. starting letters should be lower cases

murki 2009-07-15 21:02:58

No, the input names must be the same as the type members names.

Marwan Aouida 2009-07-15 22:50:08

Answer 2

+1 A:

In general, the best way to go is to create view-models, models built specifically for your views. These models are not domain objects. They are data-transfer objects, built to transfer data from your controller actions to your view templates. You can use a tool like AutoMapper painlessly to create/update a domain model object from your view-model object or to create/update a view-model object from your domain model.

Justice 2009-06-08 19:14:05

AutoMapper looks like an excellent utility that would indeed simplify this. I'm going to check it out later this evening. Thanks!

Funka 2009-06-08 21:18:03

I've also found that UpdateModel comes in a generic form, UpdateModel<T>, which I found on another post here at S.O. that recommends creating an interface T that can act as a whitelist. I did not see this technique in either of the MVC books I have read, but it seems like it might have some promise. (Perhaps no more effort than creating a handful of DTOs.) P.S. this other post I referenced is here: http://stackoverflow.com/questions/924424/difference-using-updatemodel-and-modelbinding-in-parameter

Funka 2009-06-08 21:31:11

If you use the view-model pattern, you can also perform powerful server-side validation on the strictly typed view-model (instead of on Request.Form or FormCollection fields) using libraries such as Castle.Components.Validator or FluentValidation.

Justice 2009-06-09 03:11:36

Scott Guthrie blogged about using an interface as a whitelist: http://weblogs.asp.net/scottgu/archive/2008/10/16/asp-net-mvc-beta-released.aspx#five

Richard Poole 2010-04-08 04:28:41

Answer 3

A:

Have you tried using the following?:

public ActionResult Create([Bind(Exclude="PropertyToExclude1, PropertyToExclude2")] Employee employee) {

//action code here

}

or use Include instead of Exclude to List what fields can be bound rather than which can't

woopstash 2009-07-01 00:33:43

Hello, as shown in my original post, the issue is not that I can't exclude "PropertyToExclude1". The issue is that I can't exclude "SomeParent.SomeProperty" in this manner.

Funka 2009-07-01 16:32:19

ansaurus

tags:

views:

answers:

How to whitelist/blacklist child object fields in the ModelBinder/UpdateModel method?

related questions