在脚手架代码中发布编辑操作时,为什么要根据模型/隐藏输入中的 ID 检查 URL 中的 ID?
[英]Why is the ID in the URL checked against the ID in the model/hidden input when posting an edit action in scaffodled code?
问题描述
If you create an "MVC Controller with view, using Entity Framework" using Visual Studio scaffolded code, an Edit method is created to respond to POST.
如果您使用 Visual Studio 脚手架代码创建“MVC 控制器与视图,使用实体框架”,则会创建一个 Edit 方法来响应 POST。 This method contains a the check if (id != movie.ID) which appears to have no real value.此方法包含一个检查if (id != movie.ID)似乎没有实际价值。 This same pattern is used in the ASP.NET Core 3.1 tutorial : ASP.NET Core 3.1 教程中使用了相同的模式:
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Edit(int id, [Bind("ID,Title,ReleaseDate,Genre,Price")] Movie movie)
{
if (id != movie.ID)
{
return NotFound();
}
...
The docs state文档状态
The HttpGet Edit method takes the movie ID parameter, looks up the movie using the Entity Framework FindAsync method, and returns the selected movie to the Edit view.
- What is the purpose of this check?这个检查的目的是什么?
- It appears to have no real value - the client appears to be sending both values.它似乎没有真正的价值 - 客户端似乎正在发送这两个值。
- Should I remove it?我应该删除它吗? Should I keep it?我应该保留它吗?
2 个解决方案
解决方案1
1 2020-09-28 17:59:55
I think this is just a sanity check, to make sure the ID the client is posting to matches the ID in the data the client attaches in the POST request.我认为这只是一个完整性检查,以确保客户端发布的 ID 与客户端在 POST 请求中附加的数据中的 ID 匹配。
If the user is using the form from the view to submit the POST request, I don't see how you can get different value for the ID.如果用户使用视图中的表单提交 POST 请求,我看不到如何为 ID 获取不同的值。 But just in case of a client submitting the form without using your view, those ID values could be different.但以防万一客户在不使用您的视图的情况下提交表单,这些 ID 值可能会有所不同。 One of the examples could be using Postman.示例之一可能是使用 Postman。
If the POST URL is /movie/edit/7 , but ID from the post body is 6 for example, your application/you will need to decide what to do.例如,如果 POST URL 是/movie/edit/7 ,但帖子正文中的 ID 是 6,则您的应用程序/您将需要决定要做什么。 So it's you, as the developer, to determine whether it has value or not to add a check like that.因此,作为开发人员,您可以确定添加这样的支票是否有价值。
I usually just ignore the ID from the URL if it's a POST request.如果是 POST 请求,我通常会忽略 URL 中的 ID。 There shouldn't be an ID on the URL if it's well constructed RESTful API endpoint anyway.如果 URL 是构建良好的 RESTful API 端点,则 URL 上不应该有 ID。 So instead, my Controller will only work with the data from the posted-back view model:因此,相反,我的控制器将只使用回发视图模型中的数据:
[HttpPost]
//[ValidateAntiForgeryToken] - I think ASP.NET Core MVC automatically has that on
public async Task<IActionResult> Edit(MovieViewModel vm)
{
if (ModelState.IsValid)
{
...
}
...
}
解决方案2
0 2020-09-28 22:14:12
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.