By using [Readonly(true)] you are explicitly instructing the model binder not to bind the field to the property of the model. By rendering the property using Html.HiddenFor
have already achieved what you want in your rendered html. You can include a second parameter in your controller action as int OrderId
and the model binder will bind the value on to that variable
A rogue user may still be able to edit OrderId. One way to guard it against such action is to encrypt OrderId and use the encrypted value in the model and subsequently on the page. Then once the postback happens, you will decrypt the encrypted OrderId. Encryption and decryption could be encapsulated in to the model itself
@TomerW, if I understood your question correctly, your core issue is that a rogue user can change the value of OrderId at the client side, My suggestion is not to render OrderId in its bare form, but encrypt it at the server side using a key only known at the server. You should render the encrypted value in HTML as a hidden filed. A rogue user may still attempt to change the associated value, but decryption will fail and you will know that someone has tried to fiddle with your value. Following is a stub implementation,
public class ChangeOrderDetailModel
{
[ReadOnly(true)] /*You are instructing the model binder not to bind this value*/
public int OrderId { get; set; }
private string _OrderIdEnc;
public string OrderIdEnc
{
/*Encryp*/
get
{
return Encrypt(OrderId);
}
set
{
_OrderIdEnc = value;
}
}
public void DecryptPayload()
{
/* Decrypt, and this will fail is someone has edited the value */
OrderId = Decrypt(_OrderIdEnc);
}
}
In your view model, use @Html.HiddenFor(o => o. OrderIdEnc)
. You can use standard windows crypto to do the encryption and decryption.
To be extremely safe, you can use a different key for each req/response session. This will prevent a more advanced rogue user from replacing OrderIdEnc with an older version.
I am sure that there may be other solutions, but above is a pattern that I have used many times and has worked
Cheers