c# - How do ViewModels prevent malicious database changes? -


while looking @ this answer question why use viewmodels?, came across section:

"a view should not contain non-presentational logic" , "you should not trust view" (because view user-provided). providing model object (potentially still connected active databasecontext) view can make malicious changes database.

what refer to? if have userid , password in model , viewmodel, security come in? kind of check in controller? check?

how determine can trust data view? handled antiforgery token?

i believe answer referring over-post problem. when utilize entity class directly view, , particularly if save posted entity directly database, malicious user modify form post fields should not able modify.

for example, let's had form allows user edit widgets. let's have row-level permissions, such user can edit widgets belong them. so, joe, our fictitious malicious user, edits widget he's allowed edit id 123. but, decides wants mess jane's widget, adds field form named id , gives value of jane's widget id. when joe posts widget form, jane's widget updated instead.

a view model not solely solving problem, negate issue because, inherently, cannot directly save view model database. instead, must map view model's values onto entity, before saving entity database. result, explicitly control , not mapped, in same example above, joe changing id ends having no effect because you're not mapping onto entity.

in truth, real problem here in directly saving posted user directly database. still feed entity class view "model", not save posted instance. instead, create new instance of entity or pull instance database fresh, , map values posted instance on that. again, wouldn't map property id, again joe foiled. in other words, it's not view model solves problem, it's never trusting user enough directly save created via post solves issue.

microsoft gives alternative solution in form of bind attribute, allows include/exclude properties on entity class modelbinding process (ignoring posted values, in other words). so, example, potentially solve issue above decorating param on action [bind(exclude = "id")], discard posted value id. however, bind horrible number of reasons, , should not use it. use view model instead, or don't ever directly save entity instance created modelbinder.


Comments

Post a Comment

Popular posts from this blog

node.js - Node js - Trying to send POST request, but it is not loading javascript content -

i have been trying send post request website, , has not been loading full site. i guessing problem node js not loading javascript content, executing it. can see javascript in response, though never loads content javascript files producing in html. what mean is, doesn't execute javascript. how make node js code overcome this, , wait the full website load? have tried native code, , "request' module, both producing same errors. if helps, don't need native javascript. modules fine. some code have tried (request module): var options = { method: 'post', uri: 'https://url', formdata: { 'email': 'email', 'prize': '0', 'transactional': 'on' }, headers: { /* 'content-type': 'application/x-www-form-urlencoded' */ // set automatically } }; rp(options) .then(function (body) { console.log(body) }) .catch(function (err) { console.log(err) }); when fetch content...
Read more

javascript - Replicate keyboard event with html button -

i have tried few ways make happen. have javascript pinball game uses keyboard keys controls. converting application touch screen display. workaround, hoping overlay buttons when clicked simulate keyboard strokes. have done research , sounds should work. using jquery v3.2.1 here things have tried far... html element: <input type="button" class="coil"></input> $('.coil').trigger({type: 'keydown', which: 40, keycode: 40}); with this, not errors, nothing happens. var coilkey = $('body').keydown(function(e) { switch (e.keycode) { case 40: break;} }) $('.coil').click(coilkey); this 1 returns error in console... ((jquery.event.special[handleobj.origtype] || (intermediate value)).handle || handleobj.handler).apply not function below javascript game engine handles key listeners... addkeylistener: function (keyandlistener) { this.keylisteners.push(keyandlistener); }, // gi...
Read more

javascript - Web audio api 5.1 surround example not working in firefox -

i've been playing lott lately web audio api on both firefox , chrome. few days ago started experiment surround set. when trying surround audio in web audio api came notice example works fine in chrome v59 not in firefox v54. // create web audio api context var audioctx = new (window.audiocontext || window.webkitaudiocontext)(); audioctx.destination.channelinterpretation = 'discrete'; audioctx.destination.channelcountmode = 'explicit'; audioctx.destination.channelcount = 6; var oscillators = []; var merger = audioctx.createchannelmerger(6); console.log(audioctx.destination, merger); //merger.channelinterpretation = 'discrete'; //merger.channelcountmode = 'explicit'; //merger.channelcount = 6; var addoscilator = function(channel, frequency) { var oscillator = audioctx.createoscillator(); oscillator.frequency.value = frequency; // value in hertz oscillator.connect(merger,0,channel); oscillator.start(); oscillators.push(o...
Read more