在ASP.NET MVC中编辑模型
[英]Editing a model in asp.net mvc
问题描述
I'm developing a simple site using ASP.NET MVC 5 and I have some issue with editing a model. 
我正在使用ASP.NET MVC 5开发一个简单的网站,并且在编辑模型时遇到一些问题。
Say, the model is as follows: 说,模型如下:
public class Model
{
public string Login { get; set; }
public string Password { get; set; }
}
I have two different user roles, for example, Admin and User. 我有两个不同的用户角色,例如Admin和User。 Now I'd like User to be able to edit only Login, whilst Admin should be able to edit both properties. 现在,我希望用户只能编辑登录名,而管理员应该可以编辑两个属性。 I'm using pretty standard edit approach, something like this: 我正在使用非常标准的编辑方法,如下所示:
[HttpGet]
public ActionResult Edit(int id)
{
return View(FindModel(id));
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(Model model)
{
if (ModelState.IsValid)
{
UpdateModel(model);
return RedirectToAction("Index");
}
return View(model);
}
The ideas I have: 我的想法:
I can show the Password text field only if a user is Admin so that User won't be able to change it. 仅当用户是Admin时,我才能显示Password文本字段,这样User就无法更改它。 However, as far as I know, MVC binding uses the id (or name, probably) of an element to bind it to a model, so User will be able to manually create a field for password modifying HTML directly and then send the data to the controller. 但是,据我所知,MVC绑定使用元素的ID(或名称)将其绑定到模型,因此用户将能够手动创建用于直接修改HTML的密码的字段,然后将数据发送到控制器。
I can create two different Models for Admin and User, say UserModel and AdminModel , two different actions in controller, and depending on the role of a user, I will create different submit buttons for User and Admin. 我可以为Admin和User创建两个不同的模型,例如UserModel和AdminModel ,这是控制器中的两个不同操作,并且根据用户的角色,我将为User和Admin创建不同的提交按钮。 So, User will click on 'EditUser' button and UserModel won't even content Password, therefore making it not so easy to forge the password. 因此,用户将单击“ EditUser”按钮,而UserModel甚至不包含密码,因此伪造密码并不容易。
I can check if the pass was changed and the user is User, an error will be shown. 我可以检查通行证是否已更改,并且用户是User,将显示错误。
Other solution is to simply divide editing into two actions: edit login and edit password separately. 另一种解决方案是将编辑简单地分为两个动作:分别编辑登录名和编辑密码。
Could anyone give any ideas as to how to solve this and whether or not I need to protect the application from such forgery? 任何人都可以对如何解决这个问题以及我是否需要保护应用程序免受伪造提出任何想法?
1 个解决方案
解决方案1
2 已采纳 2015-05-08 22:16:45
There are a LOT of way to do this. 有很多方法可以做到这一点。 To keep the code DRY I would do something like: 为了使代码保持干燥,我将执行以下操作:
public class EditLoginVM
{
public bool CanEditPassword { get; set; }
public string Login { get; set; }
public string Password { get; set; }
}
In the view: 在视图中:
@if (Model.CanEditPassword )
{
// Show Password Textbox blah blah :)
}
Controller: 控制器:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(EditLoginVM model)
{
if (ModelState.IsValid)
{
var updateModel = new Model();
updateModel.Login = model.Login;
if (/* user is admin, don't use EditLoginVM.IsAdmin!!!! */)
{
model.Password = model.Password;
}
UpdateModel(model);
return RedirectToAction("Index");
}
model.CanEditPassword = /* reset it just in case of overposting */;
return View(model);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.