I'm creating a system using ASP.NET MVC for filling out online job applications. It's really just an experiment to familiarize myself with the MVC framework. I'm definitely not a security expert so I just wanted to get some advice here since this web app will be dealing with sensitive information.
The system has a wizard-like set of views. You go from one view to the next filling out the relevant information until the end when you finally submit it.
Each job application is stored in the database with a GUID primary key. Right now I am simply storing that GUID in a hidden field in the view of each page. This makes it easy to update the model in the controller like so:
[HttpPost]
public ActionResult ExampleAction(FormCollection formValues)
{
Guid appId = new Guid(Request.Form["ModelId"]); // the GUID stored in the hidden field
ExampleModel example = db.Entities.Single(e => e.ModelId == appId);
UpdateModel(example, formValues);
db.SaveChanges();
return RedirectToAction("ExampleAction2", new { appId = appId.ToString() });
}
I know this is not secure because anyone with any kind of development experience knows you can edit the values of hidden fields in any browser's developer tools. So what's the recommended way to securely get the same results?
You should store it in the Session object. That way, you can call it at anytime from anywhere and it will never display on any of your views.
The doc: http://msdn.microsoft.com/en-us/library/ms178581.aspx
I know this has been answered, just for interest sake I want to leave another option. How you could go about it is parsing the information you get from the first view as a JSON string that you can store in a cookie and then later serialize it when you need it.
This is asuming that the information is safe to store client side. Otherwise it could be an encrypted cookie I suppose. This would address the concerns for cloud computing and load balancers etc.
Why not post to each step instead of using RedirectToAction? That way you can create a model that contains each step.. for example:
class JobApplicationViewModel
{
public Guid ApplicationGuid { get; set; }
public StepOne Step1 { get; set; }
public StepTwo Step2 { get; set; }
public int CurrentStep { get; set; }
}
The step 1 view can post to step 2.. for example:
[HttpPost]
public ViewResult StepTwo(JobApplicationViewModel viewModel)
{
ServiceLayer.Update(viewModel);
return View(viewModel);
}
Then, the StepTwo view posts to StepThree, StepThree posts to Step4, etc. This makes sense logically, as you're only allowing people to get to any step beyond step 1 by posting the form.
Related
I have been looking at C# MVC for a while now and really getting in to it. I have come across how to pass 2 or more Domain Models in to a View but what i need to ask is security. I have read about Over Posting and that is can be stopped with Binding inclusions and exclusions but how does this effect a ViewModel with 2 or more Model inside it. Is there still the possibility of hidden fields in the HTML that resolve to the Domain Models and are they editable.
I have been looking to make ViewModels where i give it certain things i want the user to edit but it just seems over complicated, so is there a better and easier way of doing this.
public TicketViewModel {
private Ticket _ticket;
public TicketViewModel(Ticket Ticket)
{
_ticket = Ticket;
}
public string Title
{
get
{
return _ticket.Title;
}
}
public List<Comment> Comments
{
get
{
return _ticket.Comments;
}
}
}
As you can see I create a new ViewModel with the Ticket Domain Model but the main concern that i have is returning a List of Domain Model Comments as i only want them to be read only.
Any help would be greatly appreciated.
For security:
If i get what you are asking about then
First of all the user can edit everything on the client side and we cannot do anything for this.
But for your concern if you have not added code on server side than no one will be able to change your data using your application , also you can add validation on server side.
For adding List in a ViewModel:
public class MainViewModel
{
public string Title{get;set;}
public List<Comment> ListComments {get;}
}
"i have is returning a List of Domain Model Comments as i only want them to be read only"
you can use this,
public List<Comment> Comments { get; }
Consider the ReadOnlyCollection, and the method AsReadOnly provided by List.
Your comment property can be rewritten as -
public List<Comment> Comments
{
get
{
return _ticket.Comments.AsReadOnly();
}
}
If you don't want something to be editable, just don't modify it.. I think this is unrelated to MVC.. You are in control of server code, so if you want comments to be readonly, just don't modify them in your server code. All these "models" exist as long as your HTML is being rendered on the server.
Client by itself won't be able to modify your database, only to modify it's HTML or send requests to your server.. It's your server code that actually modifies things.
Looking at this, and not knowing the context it is in, I would suggest using the domain model itself in your view and not wrapping it in the TicketViewModel. The ViewModel doesn't seem to add anything.
For the read only comments: I don't think it matters whether the collection in the ViewModel is editable. What matters is that you don't render editable controls in your view. And most important that the code in your Save (or whatever it is called) action ignores whatever comments are posted.
I've written a little MVC3 site that let's certain users review Active Directory Accounts.
For audits we are required to keep track off our 'user reviews'. So, once a month I put everything in an SQL database. With the state 'to be checked'.
This looks like this:
I'd like to have a way that people can quickly approve them by just checking a textbox and saving it.
How would I go about this?
The 'ReviewState' is a separate object (StateID, StateText, Description, Active).
Possibilities are: Unchecked, Approved, Denied, Silently Approved, ...
Create a ReviewState model and a strongly typed partial view for it containing StateId, StateText, Description etc).
Your parent model should contain a list of ReviewStateModel's. In the main view, loop through that and render a partial for each model in the list.
You may need to add an Id so that you can identify each review model on the server side.
Create a ViewModel to be used in your view:
public class AccountViewModel
{
public AccountInfo Account { get; set; }
public ReviewState Review { get; set; }
}
This way you can add a checkbox for Approve like this:
#Html.CheckboxFor(x => x.Active);
You will get this model back to your post action. The only thing left is extract data and update database.
I might not be accurate with property names here and code is written from my head but I think you get the point
Here's my problem:
We have an intranet asp.net mvc 3 application with a controlled set of users. We have a Person class, that contains a large amount of information, that is initially loaded and stored in the session. The data/editing for this object spans across many screens. Basically, each screen is a subset of the Person's data.
I'm trying to take advantage of the built in model binding in asp.net mvc. Should I create a data class that binds the form data from each screen and then updates my session object using a service object?
Example below: DxFormData contains a subset of the person data and will only be used as a parameter on this method.
public ActionResult Dx(DxFormData data)
{
// Update current session Person object with data passed in if modelstate is valid
var viewModel = this.GetDxViewModel();
return View(viewModel);
}
public class DxForm Data
{
public string AdmitDx { get; set; }
public string PrinDx { get; set; }
}
I'm looking for thoughts on this approach and if there's a better solution available to me. The problem that I see, is that the person class contains all the data and I'm creating another class with a subset of that data. Obviously, duplicating the properties.
Side note: I did write a custom model binder that returned the session person for binding. However, I am continually getting errors when it attempts to bind.
I don't see problem with this approach. If you try to use the Parent class as the action parameter then in each form submit action then you will get validation errors because the model is not completely filled, so you should use view models in this case and unfortunately you can't avoid duplicating properties.
Being rather new to ASP.NET MVC, I am already seeing some benefits of it for code reuse and maintainability. When asking a previous question on routing, I had another idea for my example, but unsure how to implement it.
Question: How can I reuse my issue view and controller in separate pages, as well as having parameters for certain things (like how many issues to display)?
Example: Say in my web application I want to show a list of issues. These issues are grouped by projects. So if you go to www.example.com/projectname/issues, you would see a list of issues for that project, and if you went to www.example.com/issues, you would see all issues for all projects. What I would like to do is that if you go to www.example.com/projectname, you would see some info about that project, including the last 10 issues submitted.
How can I reuse this issue code? I see I have the option for Partial View, but when I implemented it, I was unsure how to route any code to it. In Web Forms, you could make a ASP.net control, set some parameters in the code behind, and then embed this control elsewhere.
Some of the examples I have found so far either lack a complete implementation (goiing beyond just adding some HTMl in other pages), look like older MVC code that doesn't seem to work for me in ASP.NET MVC 3, and lack allowing me to set paramaters and showing this type of reuse.
My terminology may not be entirely correct here. If anything, I am trying to find the best (read MVC) way to replicate something like ASP.net Web Forms User Controls. As in, reusing my 'issues' code (HTML and C#) on both a 'master' issues list, as well as an issues 'widget' if you will
Skip the temptation write code in the view that goes out and accesses data on it's own. That includes using built-in functions like RenderAction. Even though RenderAction "goes back" to execute another controller it doesn't mean the view isn't taking an action on its own, which arguably breaks the MVC approach where views are supposed to do nothing and the model is supposed to contain everything the view needs.
Instead what you could do is send back a model for your issue list page(s) which contains a property containing the issues list:
public class IssueListModel {
public List<Issue> Issues { get; set; }
}
Populate it in your issue list action:
public ActionResult IssueList(string projectName) // projectName may be null
{
var issueListModel = new IssueListModel();
issueListModel.Issues = SomeRepository.GetIssues(projectName); // whatever you need to send...
return View(issueListModel);
}
Then on your list pages you could loop through it:
#foreach (var issue in Model.Issues) {
<div>#issue.IssueName</div>
}
Or you could send the Issues collection down to a partial view:
#Html.RenderPartial("IssueList", Model.Issues)
You can type your partial view to expect List as the model:
#model List<MyProject.Models.Issue>
... and then loop through it in the partial view, this time doing a foreach on the model itself:
#foreach (var issue in Model) {
<div>#issue.IssueName</div>
}
Then what you can do is make a separate model for your project detail view which also contains a property containing Issues:
public class ProjectDetailModel {
public Project Project { get; set; }
public List<Issue> Issues { get; set; }
public string Whatever { get; set; }
}
In the controller you can populate this List using the same function that you would populate in your lists controller:
public ActionResult ProjectDetail(string projectName)
{
var projectDetailModel = new ProjectDetailModel();
projectDetailModel.Issues = SomeRepository.GetIssues(projectName, 10); // whatever you need to send
return View(projectDetailModel);
}
Then you can re-use the same exact partial view on your ProjectDetail view:
#Html.RenderPartial("IssueList", Model.Issues)
A long answer but I hope this is what you were looking for!
If you want to re-use presentation logic only, you can use partial view. If you want to re-use also controller's logic, you have to use child action combined with partial view.
Create a controller
public class IssuesController : Controller
{
[ChildActionOnly]
public PartialViewResult List(string projectName, int issueCount = 0)
{
IEnumerable<Issue> issueList = new List<Issue>();
// Here load appropriate issues into issueList
return PartialView(issueList);
}
}
Do not forget also to create appropriate partial view named List within the folder Issues.
Finally use this line within your project view
#{ Html.RenderAction("List", "Issues", new { projectName = "Px", issueCount = 10 } ); }
and this line within your issue list view
#{ Html.RenderAction("List", "Issues", new { projectName = "Px" } ); }
In your controller method return the view as named rather than just View()
ie...
public ViewResult IssueView1()
{ return View("Issue");}
public ViewResult IssueView2()
{return View("Issue");}
I think I'm missing some fundamentals on how MVC forms work. I have a search form on my home page that has five or six different fields a user can search on. So I have this POSTing to my results action just fine. The Result action looks like this:
[HttpPost]
public ActionResult Results(SearchModel model)
{
ResultsModel results = new ResultsModel();
results.ResultList = SearchManager.Search(model).ToList();
return View("Results", results);
}
I've simplified the above method for this post, but the idea is the same. So this all works fine. My results page shows up with the list of results and my user is at the following URL:
http://www.site.com/results
So...now I want to do something fairly common. I have two dropdown lists on the results page. "Sort by" and "# of results per page". How do I do that and send the full set of model data back to the controller so I can query with the new parameters? In reality, the SearchModel class has about 60 different fields. Potentially all of that data could be contained in the model. How do you persist that to a page "post back"?
This same question has me a little stumped about how to do paging as well. My paging links would go to a URL like:
http://www.site.com/results/2
But that assumes that we're responding to a GET request (I don't want 60 fields of data in the querystring) and that the model data is passed between GET requests, which I know isn't the case.
As I said, I think I'm missing some fundamentals about working with MVC 3, models and form posts.
Can anyone help point me in the right direction here? I'll be happy to edit/update this post as needed to clarify things.
EDIT: I also wanted to point out, I'd like to avoid storing the view model in a Session variable. This site will eventually end up being load balanced in a web farm and I'm really trying to avoid using Session if possible. However, if it's the only alternative, I'll configure another session state provider, but I'd prefer not to.
You can add your current SearchModel parameters to the route values for your form. Several versions of BeginForm allow you to pass in an object/RouteValuesDictionary.
#Html.BeginForm("Action", "Controller", new { SearchModel = Model }, FormMethod.Post)
This should pass-through your current SearchModel values so you can re-use them to get the next page. You need to have a controller action defined that will accept any current-page form values as well as the SearchModel.
I have not done this with form posts, but from what I have done and from what the docs say, this is where I would start. Of course, this also means that each of your page number "links" on the page will need to be doing posts. That is really inconvenient for users if they want to be able to use the Back button in the browser.
In this context, you can try to define a route that allows the page number to appear as a part of the URL -- "Action/Controller/{page}". However, I am not sure how that will work given that the form is doing a post.
Response to Comment:
Yeah, you can use Route Values to add the SearchModel to each page link, but as I said in the comment above, since the links will do a "get," your users will see the SearchModel serialized as a part of the link.
Either way, using Route Values is your answer to getting back your original SearchModel without using hidden fields, Session, or TempData.
Your SearchModel class needs to contain your search criteria and your results. Something like below. If you use a PagedList for your results then it will contain the current page, total pages, total items, etc. You can limit the amount of information in your page by only writing the search criteria that contain values.
public class SearchModel
{
public string Product { get; set; }
public string Sku { get; set; }
public string Size { get; set; }
public string Manufacturer { get; set; }
// etc...
public PagedList ResultsList { get; set; }
}
[HttpPost]
public ActionResult Results(SearchModel model)
{
model.ResultList = SearchManager.Search(model).ToList();
return View(model);
}
One of the options I'm coming up with here is to implement a distributed caching system that supports acting as a custom session provider (i.e. Memcached or Windows Server AppFabric), thereby allowing me to use TempData (and Session) in a load balanced environment like so:
[HttpPost]
public ActionResult Results(SearchModel model)
{
ResultsModel results = new ResultsModel();
results.ResultList = SearchManager.Search(model).ToList();
TempData["SearchModel"] = model;
return View("Results", results);
}
[HttpGet]
public ActionResult Results(int? page)
{
SearchModel model = (SearchModel)TempData["SearchModel"];
ResultsModel results = new ResultsModel();
results.ResultList = SearchManager.Search(model).ToList();
TempData["SearchModel"] = model;
return View("Results", results);
}
Any thoughts on this approach? Seems like a lot to have to go through just to get search parameters passed between requests. Or maybe I was just spoiled with this all happening behind the scenes with WebForms. :)
This seems to be another interesting option for Webforms spoiled guy ;) Persisting model state in ASP.NET MVC using Serialize HTMLHelper
Some kind of ViewState incarnation. It is part of MVC Futures . Not sure how long it is in Futures project and why it cannot get into main lib.