asp.net-mvc Prevent binding on PostModel


Example

Considering a (post)model:

public class User
{
    public string FirstName { get; set; }
    public bool IsAdmin { get; set; }
}

With a view like so:

@using (Html.BeginForm()) {
    @Html.EditorFor(model => model.FirstName)
    <input type="submit" value="Save" />       
}

In order to prevent a malicious user from assigning IsAdmin you can use the Bind attribute in the action:

[HttpPost]
public ViewResult Edit([Bind(Exclude = "IsAdmin")] User user)
{
    // ...
}