堆栈内存溢出
  简体   繁体   English

如何防止在 ASP.NET Core 中的 Razor 视图 HTML 中禁用或只读输入文件的模型绑定?

[英]How to prevent model binding of disabled or readonly input fileds in Razor view HTML in ASP.NET Core?

 原文  2021-10-24 14:29:15       c#/ asp.net-core/ razor/ razor-pages

问题描述

So I have complex object that should be displayed on the page.所以我有复杂的对象应该显示在页面上。 Some properties of this object should be disabled (or readonly) for users in certain access roles.对于某些访问角色的用户,应禁用(或只读)此对象的某些属性。 However, I noticed that if I edit this <input disabled .../> in devtools and remove disabled property and add arbitrary text, then model binder will happily take this value and put it in form model when submitted via OnPost action.但是,我注意到如果我在 devtools 中编辑这个<input disabled .../>并删除disabled属性并添加任意文本,那么模型绑定器会很高兴地获取这个值,并在通过OnPost操作提交时将其放入表单模型中。

Here is example code:这是示例代码:

    <form method="post">
        <div class="form-group col-sm-6">
            <label asp-for="FormModel.FirstName" class="control-label">First Name</label>
            <input asp-for="FormModel.FirstName"
                   disabled="disabled"
                   class="form-control"
                    />
        </div>
        <div class="form-group col-sm-6">
            <label asp-for="FormModel.LastName" class="control-label">Last Name</label>
            <input asp-for="FormModel.LastName"
                   class="form-control"
                   />
        </div>
        <input type="submit" value="Save" class="btn btn-primary" />
    </form>

And the page model:和页面模型:

    public class IndexModel : PageModel
    {
        private readonly MyDbMock _myDb;

        [BindProperty]
        public FormModel FormModel { get; set; }

        public IndexModel(MyDbMock myDb)
        {
            _myDb = myDb;
        }

        
        public void OnGet()
        {
            FormModel = new FormModel
            {
                FirstName = _myDb.FormModel.FirstName,
                LastName = _myDb.FormModel.LastName
            };
        }
        public IActionResult OnPost()
        {
            _myDb.FormModel = FormModel;
            return RedirectToAction(nameof(OnGet));
        }
    }

    public class FormModel
    {
        public string FirstName { get; set; }
        public string LastName { get; set; }
    }

    public class MyDbMock
    {
        public FormModel FormModel { get; set; } = new FormModel
        {
            FirstName = "John",
            LastName = "Smith"
        };
    }

When I open this page for the first time I get John in the disabled input with First name label.当我第一次打开这个页面时,我在禁用输入中看到John带有First name标签。 This is fine.这可以。 Then when I click Save my OnPost method will get FormModel object where FirstName is null.然后,当我单击Save我的OnPost方法时,将获取FirstName为 null 的FormModel对象。 This is reflected in the updated page.这反映在更新的页面中。 Can this be prevented and tell model binder just to not touch this property?可以防止这种情况并告诉模型绑定器不要触摸此属性吗? Ie. IE。 leave it as John when form is submitted and not set it to null because of it being disabled?提交表单时将其保留为John而不是因为它被禁用而将其设置为null

The other issue I have is that an advanced user can remove disabled attribute from the First Name input and just submit arbitrary value.我遇到的另一个问题是高级用户可以从First Name输入中删除disabled属性,然后提交任意值。 Can this also be prevented by telling model binder same thing as above?这也可以通过告诉模型活页夹与上述相同的事情来防止吗? Eg.例如。 leave First Name field as-is when it was sent in GET request, no updates.GET请求中发送First Name字段时保持原样,没有更新。

Here is the demo of all this:这是所有这些的演示:

在此处输入图片说明

I know I can handle this in backend code by preventing updating of the disabled fields.我知道我可以通过阻止更新禁用字段在后端代码中处理这个问题。 However I am looking some more elegant and declarative way if it exists.但是,如果存在,我正在寻找一些更优雅和声明性的方式。 In my main project the form model is much complex and has objects within objects so ideally I'd like to skip adding additional logic to action handler for this.在我的主要项目中,表单模型非常复杂,并且在对象中有对象,所以理想情况下我想跳过为此向动作处理程序添加额外的逻辑。

1 个解决方案

解决方案1
 0  2021-10-25 02:58:40

Try to add a hidden input to bind FormModel.FirstName ,and change the name of the disabled input,so that the value of disabled input will not be binded to FormModel.FirstName .尝试添加一个隐藏输入绑定FormModel.FirstName ,并更改禁用输入的名称,以便禁用输入的值不会绑定到FormModel.FirstName

<form method="post" >
    <div class="form-group col-sm-6">
        <label asp-for="FormModel.FirstName" class="control-label">First Name</label>
        <input asp-for="FormModel.FirstName" name="FirstName"
               disabled="disabled"
               class="form-control" />
        <input asp-for="FormModel.FirstName" hidden/>
    </div>
    <div class="form-group col-sm-6">
        <label asp-for="FormModel.LastName" class="control-label">Last Name</label>
        <input asp-for="FormModel.LastName"
               class="form-control" />
    </div>
    <input type="submit" value="Save" class="btn btn-primary" />
</form>

result:结果: 在此处输入图片说明

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Model 绑定在 ASP.NET 核心 Razor 页 - Model Binding in ASP.NET Core Razor Pages 如何从 razor 查看带有动态列表的 model 中的列表? ASP.NET 内核 3.1 - How to submit from a razor view a list in a model with dynamic list? ASP.NET Core 3.1 ASP.NET Core 2部分视图列表模型绑定 - ASP.NET Core 2 Partial View List Model binding 如何防止通过 ASP.NET Core Web API 中的模型绑定设置属性? - How to prevent a property from being set through model binding in ASP.NET Core Web API? Asp.net核心View组件模型绑定 - Asp.net core View components model binding razor 中的 FileNotFoundException 查看 ASP.NET 核心 - FileNotFoundException in razor view ASP.NET Core 如何在asp.net核心剃须刀页面中重用HTML代码段? - How to reuse HTML snippets in asp.net core razor page? ASP.NET MVC剃刀视图,发布到与原始模型绑定不同的模型? - ASP.NET MVC razor view, post to a different model from the original model binding? asp.net 核心 razor 页面复选框 model 绑定(始终为假) - asp.net core razor page checkboxes model binding (always false) ASP.NET 核心 Razor 页面绑定属性和保存数据 model - ASP.NET Core Razor Page binding properties and preserve data in model
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM