I have the following problem: I have a view (to edit an object) which has a ViewModel and in the ViewModel I deliberately left out the Id of the object it represented. That way no hacker can alter formvalues and post an Id to the server himself. I still use model binding in the controller where I of course do not include the Id, but two layers of security are more secure than one.
Now I have added a delete button to the view. The function on the controller requires an Id and I see others take the Id from the (View)Model but that would require adding it to the ViewModel which I hope won't be necessary. The U开发者_开发问答rl of the controller action which loads the editview knows about the Id.
Can I work around this without adding the Id to the ViewModel?
handler: function(btn) {debugger;
var conn = new Ext.data.Connection();
conn.request
(
{
url: '<%= Url.Action("DeleteHourType") %>',
method: 'POST',
success: function(resp) {
var url = JSON.parse(resp.responseText).redirect;
window.location = url;
}
}
);
}
No, you'll need to store the Id on the client somewhere. You can always encrypt the value if you are that concerned.
Instead of avoiding putting Ids in the view make sure that whatever actions happen behind the scene performs security checks so user a can't edit user b's stuff. Security by obscurity, by not posting the id to the client, is never ok.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论