asp.net-mvc Model binding Prevent binding on PostModel
Example
Considering a (post)model:
public class User
{
public string FirstName { get; set; }
public bool IsAdmin { get; set; }
}
With a view like so:
@using (Html.BeginForm()) {
@Html.EditorFor(model => model.FirstName)
<input type="submit" value="Save" />
}
In order to prevent a malicious user from assigning IsAdmin you can use the Bind attribute in the action:
[HttpPost]
public ViewResult Edit([Bind(Exclude = "IsAdmin")] User user)
{
// ...
}
