Posted by: Cirilo Meggiolaro | 05/1/2009

Tip of the day #199 – ASP.NET MVC – Defining model-binding explicitly

When we have a ASP.NET MVC View that accepts user input and posts those inputs to a server we have the option to use the built-in Model-binding features from ASP.NET MVC by either receiving an instance of the ModelView type as parameter on the action method that handles the post or by invoking the UpdateModel method.

It is an automatic and useful bind model but to provide more control and security we can restrict the properties that are allowed to be bound automatically. Let’s check how we can perform that.

Option 1 – The Bind attribute

The Bind attribute is an easy way to define the properties that may be updated. Since it is an attribute it’s just a matter to define it on the action method that handles the post operation.

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create( [Bind(Include=“Name,Description,Active”)] MyModelView myModelView) { }

When the post occurs only the properties defined using the attribute will be updated. You have an option to define the properties that are excluded from the update by using the Bind attribute with the Exclude named parameter instead.

[Bind(Exclude=“ID,CreatedDate,CreatedBy”)]

You have another option that is to define on the ViewModel level so all update processes will follow this definition.

[Bind(Include=“Name,Description,Active”)]
public class MyViewModel{ }

Option 2 – UpdateModel method overloads

The generic UpdateModel method has several overloads available but six of them accept arrays of strings to define the properties that must be either included or excluded. Let’s check those overloads:

  • void UpdateModel<TModel>(TModel model, string[] includeProperties);
  • void UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties);
  • void UpdateModel<TModel>(TModel model, string[] includeProperties, IDictionary<string, ValueProviderResult> valueProvider);
  • void UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, IDictionary<string, ValueProviderResult> valueProvider);
  • void UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, string[] excludeProperties);
  • void UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, string[] excludeProperties, IDictionary<string, ValueProviderResult> valueProvider).

So, if you want to define properties to be included or excluded during the Update process, you just need to create an array of strings and invoke the UpdateModel method overload that fits better into your needs.

string[] includeProperties = { “Name”, “Description”, “Active” };
UpdateModel(myModelView, includeProperties);

About these ads

Responses

  1. Hi Cirilo,

    Have you actually seen includeProperties actually working? I am trying it at the moment, and still, all properties are being bound, even ones that don’t exist on the form – and they are being bound to null, including my lists and creation date/time’s etc, which is not good, hence why I wish to use includeProperties.

    Any thoughts?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: