What is the role of [Bind(Exclude = "AlbumId")] annotation in data validation? What does scaffolding mean?

Yoda picture Yoda · Jun 29, 2014 · Viewed 6.9k times · Source

I follow this tutorial: http://www.asp.net/mvc/tutorials/mvc-music-store/mvc-music-store-part-6

When talking about form validation author says that Bind anntoations is used to:

 Lists fields to exclude or include when binding parameter or form values to model properties

It is little bit gibberish to me - I don't get it. What does it actually mean? Maybe the problem is the word scaffold which has to meanings in dictionary that don't have any connection to IT.

What is the result of: [Bind(Exclude = "AlbumId")] and what is the sense of typing: [ScaffoldColumn(false)] - the column is not hidden by default, why to say it again.


namespace MvcMusicStore.Models
{
    [Bind(Exclude = "AlbumId")]
    public class Album
    {
        [ScaffoldColumn(false)]
        public int      AlbumId    { get; set; }
        [DisplayName("Genre")]
        public int      GenreId    { get; set; }
        [DisplayName("Artist")]
        public int      ArtistId   { get; set; }
        [Required(ErrorMessage = "An Album Title is required")]
        [StringLength(160)]
        public string   Title      { get; set; }
        [Required(ErrorMessage = "Price is required")]
        [Range(0.01, 100.00,
            ErrorMessage = "Price must be between 0.01 and 100.00")]
        public decimal Price       { get; set; }
        [DisplayName("Album Art URL")]
        [StringLength(1024)]
        public string AlbumArtUrl { get; set; }
        public virtual Genre  Genre    { get; set; }
        public virtual Artist Artist   { get; set; }
    }
}

Answer

Justin Helgerson picture Justin Helgerson · Jun 29, 2014

Scaffold

For what it's worth I've been building apps on top of ASP.NET MVC for over two years now and not once have I ever used the ScaffoldColumn attribute. However, to actually answer your question the attribute is used to tell the framework if the field should be visible.

As an example, if you used @Html.EditorForModel() (this method does some magic under the hood and builds out form inputs for your model properties) then your view will not contain inputs for the columns marked false in the ScaffoldColumn attribute. It's essentially a shortcut to tell the framework not to allow the field to be edited when it builds out the view. Again, I never use EditorForModel because I build out my forms by hand for each input because I want more granular control.

Bind

The Bind attribute is used to tell the framework if you want to allow the property to be bound to when sending data to the server (this is more of a security feature).

Consider this action:

[HttpPost]
public ActionResult DontSendMeTooMuchData(Employee employee) {
    db.Employees.Update(employee);
}

Suppose the Employee object looks like this:

public class Employee {
    public string FirstName { get; set; }
    public string LastName { get; set; }
    public string SocialSecurityNumber { get; set; }
}

Now suppose I send an HTTP POST request that sends up data:

FirstName=Justin
&LastName=Helgerson
&SocialSecurityNumber=YouShouldntLetMeUpdateThis

You've just updated my social security number! Bad news bears. How do you stop it?

[Bind(Exclude = "SocialSecurityNumber")]
public class Employee {
    public string FirstName { get; set; }
    public string LastName { get; set; }
    public string SocialSecurityNumber { get; set; }
}

Now when the DontSendMeTooMuchData method is executed and ASP.NET MVC does the model binding to give you an Employee object from the HTTP request, the SocialSecurityNumber property will never be populated from the request data.

Again, this is an attribute that I never use in my applications. There is another way to solve this problem that has other benefits. For fear of this answer becoming too long, the way to solve the problem is to use different models for your view and your database. I never let my database objects hit my view. Instead I build a class specifically for use in the view which only contains the properties I want the user to provide.