正如我在学习ASP.NET MVC的进步，我遇到了一个问题，进入了一些麻烦

As I'm in the progress of learning ASP.NET MVC, I ran into a question and into some trouble

我想创建一个简单的博客，只是为了测试出我所学会为止。但是，当涉及到编辑和离开现场我遇到了问题。

I'm trying to create a simple blog, just to test out what I have learned so far. But when it comes to editing and leaving a field i run into a problem.

我想在我的博客编辑已经提交的帖子，帖子中包含几个字段：ID，标题信息，作者和日期提交不应编辑，刚离开，因为它是

I'm trying to edit an already submitted post on my blog, the post contains few fields: Id, Headline, Message, Author and Date for the submission which should not be edited, just left as it is.

下面是一些code：

我的岗位模型：

namespace MyBlock.Models
{
    public class Post
    {
        public int Id { get; set; }

        [Required]
        public string Author { get; set; }

        [Required]
        public string Headline { get; set; }

        [Required]
        public string Message { get; set; }

        public DateTime Date { get; set; }
    }
}

我的编辑：

[HttpGet]
public ActionResult Edit(int id = 0)
{
    Post post = db.Posts.Find(id);

    if (post != null) {
        return View(post);          
    }

    return HttpNotFound();
}

[HttpPost]
public ActionResult Edit(Post post)
{
    if (ModelState.IsValid) {
        db.Entry(post).State = EntityState.Modified;
        db.SaveChanges();

        return RedirectToAction("Index", "Home");
    }

    return View(post);
}

和我的观点进行编辑：

@model MyBlock.Models.Post

@{
    ViewBag.Title = "Edit";
}

<h2>Rediger "@Model.Headline"</h2>

@using (Html.BeginForm()) {
    @Html.LabelFor(u => u.Author)
    @Html.TextBoxFor(u => u.Author)

    @Html.LabelFor(u => u.Headline)
    @Html.TextBoxFor(u => u.Headline)

    @Html.LabelFor(u => u.Message)
    @Html.TextAreaFor(u => u.Message)

    <input type="submit" value="Gem" />
}

我知道我可以扔在一个 @HiddenFor（U =＆GT; u.Date）键，同日将提交。但我敢打赌，还有另一种途径不是它的源$ C ​​$ C的隐藏字段？我的意思是，这是不是在另一个例子是安全的？所以，我想别的东西比这里的隐藏字段。你们能帮助我吗？

I know I could throw in a @HiddenFor(u => u.Date) and the same date would be submitted. But I bet there is another way than having it as a hidden field in the source code? I mean this isn't that secure in another example? So I want something else than hidden field here. Can you guys help me out?

如果我尝试运行这个，因为它是。我发现了一个错误，是我未设定日期，这是逻辑的，因为它要更新一个藏汉。但我不希望它。我要离开它可选的，如果你能这么说。

If I try to run this as it is. I'm getting an error which is my Date isn't set, which is logic because it want to update that one aswell. But I dont want it to. I want to leave it optional if you could say that.

推荐答案

在换句话说，不采取从客户端的信息，并直接更新数据库。您应该执行在服务器端的业务规则和不信任的客户端为你做它。

Don't take candy from strangers

In other words, don't take the information from the client and directly update the DB. You should enforce your business rules on the server side and not trust the client to do it for you.

[HttpPost]
public ActionResult Edit(Post post)
{
    if (ModelState.IsValid) {
        var dbPost = db.Posts.FirstOrDefault(p => p.Id == post.Id);
        if (dbPost == null)
        {
            return HttpNotFound();
        }

        dbPost.Author = post.Author;
        dbPost.Message = post.Message;
        dbPost.Headline = post.Headline;
        db.SaveChanges();

        return RedirectToAction("Index", "Home");
    }

    return View(post);
}

[HttpPost]
public ActionResult Add(Post post)
{
    if (ModelState.IsValid) {
        var dbPost = db.Create<Post>();
        dbPost.Author = post.Author;
        dbPost.Message = post.Message;
        dbPost.Headline = post.Headline;
        dbPost.Date = DateTime.Now(); // Don't trust client to send current date
        db.SaveChanges();

        return RedirectToAction("Index", "Home");
    }

    return View(post);
}

在我自己的项目中，我通过添加自定义的验证规则给执行validateEntity 法实施的领域层这样的规则。

In my own project I enforce rules like this at the domain layer by adding custom validation rules to the ValidateEntity method.