实体框架通过关系发布到POCO

Question

I have a C# program on the entity framework using mvc4.

I was wondering if it was possible (which I am sure it is) to have C# do the automatic binding of a post to an object that has a relation.

Ex: I have an Item class, that has a relationship with the User class:

public class Item
{
    public int ItemId{get;set;}
    public string Name{get;set;}

    public virtual User Owner{get;set;}
}

I have an ItemController with a post method:

public class ItemController
{
    ...
    public HttpResponseMessage PostItem(Item item)
    {
         ....
    }
}

How does posting and dynamic binding work with classes that have relations?

Answer 1

Yes, it's possible. But you should never (well, almost never) post directly to EF models. The reasons are many, but security is high on the list, but maintainability and (separation of concerns, for instance) is also very high.

How can it be a security problem? Let's say your User property has a field "IsAdmin", even if you do not have any reference to IsAdmin in your view, a malicious user could post an Owner.IsAdmin of true and if you SaveChanges, your user is now an administrator.

Yes, it's true, your app may not work that way. But other details could be hacked, maybe passwords changed, or any number of other possible ways to be malicious.

As a rule, just do not ever pass your data models directly to the view. Use an intermediate view model, and copy only the authorized values between, and only have the fields necessary for the view in the view model.