Asp.net MVC binding security issue
There’s a post on CodeThinked about a serious potential security issue.
The problem comes from an MVC convenience that when using an object as a controller action parameter, Asp.net MVC will bind the form fields to object properties auto-magically. Read the full post for a complete description.
I would recommend a solution using a presentation only model. There is a good reason for this.
The model object passed to the view should not be directly the domain/business object. I always create a thin adaptation layer for presentation, even when it doesn’t add much value. I lets me decouple presentation concerns from domain concerns.
The object coming back from the form should follow the same rule as part of this presentation concerns. There is no problem if those presentation objects provide only non sensitive fields.
But it’s sure that not anyone will know about the risks.