MVC Editing Entities - Security implications
Probably a bit of a newbie question but Im going to ask it anyway. Im a webforms developer however I have been given an MVC app to look after and have found what I think may be a security hole, just want to check my thinking is right before I flag this up with my employer.
Basically we have a view for editing an object (Call it a car) So the object contains Make, Model, ManufactureYear, Color, RegistrationNumber
The view displays all of the above but only allows the Color to be edited.
The problem is that the other properties are written out to the HTML in hidden fields which are then posted back and used to populate a car object which is pushed through to the database.
I saw this and thought, what happens if I change these hidden fields, and sure enough, I now have a car with a manufacture date 10 years in the future...
The original dev says that this is the way that MVC works... Im new (litterally have 2 hours MVC experience) so cant contest this at the moment.
Any one have any thoughts? Can anyone advise how this should be done - im also told that my way of doing it (which would be to pull the car from the database and only update the field that the view can actually manipulate) is also wrong...
Id appreciate advice!
That's not inherent to "MVC" by any means. It's more aligned with the stateless nature of the Web and all that RESTful type of stuff, but this particular case isn't justified by that. It sounds like if you only want a limited set of updatable fields, you should only have some form of identifier for the object (like a primary key in an RDBMS) and the field you want to update (or the Controller should discard the rest). You should certainly not allow for arbitrary access to fields that should be restricted in pursuit of not carrying state.