[英]How to prevent model binding of disabled or readonly input fileds in Razor view HTML in ASP.NET Core?
So I have complex object that should be displayed on the page.所以我有复杂的对象应该显示在页面上。 Some properties of this object should be disabled (or readonly) for users in certain access roles.
对于某些访问角色的用户,应禁用(或只读)此对象的某些属性。 However, I noticed that if I edit this
<input disabled .../>
in devtools and remove disabled
property and add arbitrary text, then model binder will happily take this value and put it in form model when submitted via OnPost
action.但是,我注意到如果我在 devtools 中编辑这个
<input disabled .../>
并删除disabled
属性并添加任意文本,那么模型绑定器会很高兴地获取这个值,并在通过OnPost
操作提交时将其放入表单模型中。
Here is example code:这是示例代码:
<form method="post">
<div class="form-group col-sm-6">
<label asp-for="FormModel.FirstName" class="control-label">First Name</label>
<input asp-for="FormModel.FirstName"
disabled="disabled"
class="form-control"
/>
</div>
<div class="form-group col-sm-6">
<label asp-for="FormModel.LastName" class="control-label">Last Name</label>
<input asp-for="FormModel.LastName"
class="form-control"
/>
</div>
<input type="submit" value="Save" class="btn btn-primary" />
</form>
And the page model:和页面模型:
public class IndexModel : PageModel
{
private readonly MyDbMock _myDb;
[BindProperty]
public FormModel FormModel { get; set; }
public IndexModel(MyDbMock myDb)
{
_myDb = myDb;
}
public void OnGet()
{
FormModel = new FormModel
{
FirstName = _myDb.FormModel.FirstName,
LastName = _myDb.FormModel.LastName
};
}
public IActionResult OnPost()
{
_myDb.FormModel = FormModel;
return RedirectToAction(nameof(OnGet));
}
}
public class FormModel
{
public string FirstName { get; set; }
public string LastName { get; set; }
}
public class MyDbMock
{
public FormModel FormModel { get; set; } = new FormModel
{
FirstName = "John",
LastName = "Smith"
};
}
When I open this page for the first time I get John
in the disabled input with First name
label.当我第一次打开这个页面时,我在禁用输入中看到
John
带有First name
标签。 This is fine.这可以。 Then when I click
Save
my OnPost
method will get FormModel
object where FirstName
is null.然后,当我单击
Save
我的OnPost
方法时,将获取FirstName
为 null 的FormModel
对象。 This is reflected in the updated page.这反映在更新的页面中。 Can this be prevented and tell model binder just to not touch this property?
可以防止这种情况并告诉模型绑定器不要触摸此属性吗? Ie.
IE。 leave it as
John
when form is submitted and not set it to null
because of it being disabled?提交表单时将其保留为
John
而不是因为它被禁用而将其设置为null
?
The other issue I have is that an advanced user can remove disabled
attribute from the First Name
input and just submit arbitrary value.我遇到的另一个问题是高级用户可以从
First Name
输入中删除disabled
属性,然后提交任意值。 Can this also be prevented by telling model binder same thing as above?这也可以通过告诉模型活页夹与上述相同的事情来防止吗? Eg.
例如。 leave
First Name
field as-is when it was sent in GET
request, no updates.在
GET
请求中发送First Name
字段时保持原样,没有更新。
Here is the demo of all this:这是所有这些的演示:
I know I can handle this in backend code by preventing updating of the disabled fields.我知道我可以通过阻止更新禁用字段在后端代码中处理这个问题。 However I am looking some more elegant and declarative way if it exists.
但是,如果存在,我正在寻找一些更优雅和声明性的方式。 In my main project the form model is much complex and has objects within objects so ideally I'd like to skip adding additional logic to action handler for this.
在我的主要项目中,表单模型非常复杂,并且在对象中有对象,所以理想情况下我想跳过为此向动作处理程序添加额外的逻辑。
Try to add a hidden input to bind FormModel.FirstName
,and change the name of the disabled input,so that the value of disabled input will not be binded to FormModel.FirstName
.尝试添加一个隐藏输入绑定
FormModel.FirstName
,并更改禁用输入的名称,以便禁用输入的值不会绑定到FormModel.FirstName
。
<form method="post" >
<div class="form-group col-sm-6">
<label asp-for="FormModel.FirstName" class="control-label">First Name</label>
<input asp-for="FormModel.FirstName" name="FirstName"
disabled="disabled"
class="form-control" />
<input asp-for="FormModel.FirstName" hidden/>
</div>
<div class="form-group col-sm-6">
<label asp-for="FormModel.LastName" class="control-label">Last Name</label>
<input asp-for="FormModel.LastName"
class="form-control" />
</div>
<input type="submit" value="Save" class="btn btn-primary" />
</form>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.