Jon P Smith edited this page Apr 10, 2018 · 7 revisions

The update of an entity in the database uses CrudServices's UpdateAndSave method. In web applications this has a typical two-stage update consisting of

  1. ReadSingle<EntityOrDto>(key) to show the user the current state, some of which will be editable.
  2. UpdateAndSave(Data) to update the entity.

The RazorAppPage application contains multiple examples of the use of the UpdateAndSave method:

Updates of DDD-styled entity classes

Updates of standard-styled entity classes

Potential security issue with standard-styled entity classes
For standard-styled entity classes, or any updates done by AutoMapper it is really important to use the [ReadOnly(true)] attribute to mark those properties you DON'T want updated in the database (see this doc).
Otherwise you have a vulnerability, as the values that you showed but didn't expect to change, like the title, could be changed by someone hacking the HTTP request.


  1. If the entity class has any methods that return void or IStatusGeneric then it will look at these to do the update. Otherwise it tries to use AutoMapper.
  2. If there are methods in the entity it will try to match the DTOs name, (minus a set of possible DTO endings) with a method. If there is a match it will set this as the default method to use.
  3. You can state exactly what type/name of method/AutoMapper you want to use, by providing a second parameter to the command, e.g. _service.UpdateAndSave(Data, "UpdatePublishedOn"). This is useful if there are multiple methods that will match the DTO non-read-only properties. The options for the second parameter are:
    • methodName - use a specific named static method, e.g. "AddPromotion"
    • methodName(n) - use a specific named static method with n parameters, e.g. "AddPromotion(3)"
    • AutoMapper - use AutoMapper's save mapping to copy the DTO into the entity
  4. For methods with no parameters, e.g. RemovePromotion() method in Book entity, you must define the method name either by:
    • Creating a DTO name that will select the method (see note 2)
    • Providing a second parameter of the call, e.g. _service.UpdateAndSave(Data, "RemovePromotion")
    • or by providing a PerDtoConfig to the DTO with the UpdateMethod overriden with the name.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.