TryUpdateModel: Determine model type at runtime #1837
Comments
We now have precedence in doing this via TryValidateModel - https://github.com/aspnet/Mvc/blob/dev/src/Microsoft.AspNet.Mvc.Core/Controller.cs#L1062-L1064 |
true though if we do make a change here, probably still want to prevent boxing and attempting to update a value type model. the type parameter avoids that problem and moves errors to compile-time. |
I didn't suggest removing TModel because the includeExpressions parameter needs it, although you could have one overload with TModel and the others without it. |
@maxtoroq perhaps. then again, the use of |
@dougbu I agree. Although I haven't tested it, perhaps simply using |
checked in - f1c62ef |
We need to revert this change. This was an intended security guarantee. Instead we need to provide a non-generic version that takes the type as input in a non-generic way |
for how many of the existing separately can we remove the |
@yishaigalatzer Would you mind explaining the security concerns? |
In short people using mvc5 have exact opposite expectations (because that's how the code worked) so that would create an overbinding problem. Hence we provide an explicit overload just like mvc5 did. -----Original Message----- @yishaigalatzer Would you mind explaining the security concerns? |
@doug if you have concerns with existing design file a separate bug. Lets keep the concerns separate -----Original Message----- for how many of the existing Controller.TryUpdateModelAsync(...) overloads will we create TryUpdateModelAsync(Type modelType, ...) equivalents? e.g. suspect overloads with [NotNull] params Expression<Func<object, object>>[] includeExpressions parameters won't be that helpful. |
@yishaigalatzer sure. I'll file a bug if we end up with a couple of extra methods. however
was a question about the new way forward for this issue. and my second paragraph was, in part, a plea not to go too crazy with helper overloads. |
@yishaigalatzer Cannot argue against back compat. There's little value in adding more overloads, which anyone can do. If the default behavior is not changed, what's the point. There are other parts of the framework that work against the runtime type instead of the declared type, e.g. |
I get your point. This is dealing with unsafe inputs scenarios, so we cannot be liberal with that. The additional overloads provide an easy escape hatch. -----Original Message----- @yishaigalatzer Cannot argue against back compat. There's little value in adding more overloads, which anyone can do. If the default behavior is not changed, what's the point. |
checked in - f6e701b |
The TryUpdateModel methods require that you explicitly declare the type you are binding at compile time, and if you attempt to bind a subclass instance the subclass properties are ignored. This is because the model metadata is requested using the type parameter:
...instead of using the type of the model instance:
Even with this small change you are still forced to provide the TModel type parameter, but at least you can pass a base type for TModel and have a derived instance be properly updated.
The text was updated successfully, but these errors were encountered: