This question is locked. New answers and comments are not allowed.
Using Fiddler to inspect for some other issues I noticed that when data is sent to the MVC Grid control it includes columns that are in the model but not bound to the grid. These unbound columns do not contain their data values but still represent information leakage and effectively give away information about our schema.
Example:
-Strongly typed model has properties A,B,C,D,E,F
-Bind columns A,B,C to MVC Grid for display
-HTTP Response sends data to MVC Grid containing columns A,B,C,D,E,F where A,B,C have values and are displayed and D,E,F do not contain data values and are not displayed in the control. (but are viewable in response or in page source)
-Columns D,E,F are marked as ScaffoldColumn(false) in the model and Hidden(true), Visible(false) in the grid control but still get sent in the response.
The best, most secure behavior would be for columns that are not included in the binding to not be sent to the browser/UI. In particular observing the ScaffoldColumn(false) attribute on the model would be optimal and in such cases those columns should not be included in server responses.
Is there a way to accomplish this currently and if not can an enhancement to the controls be included in the near future?
Example:
-Strongly typed model has properties A,B,C,D,E,F
-Bind columns A,B,C to MVC Grid for display
-HTTP Response sends data to MVC Grid containing columns A,B,C,D,E,F where A,B,C have values and are displayed and D,E,F do not contain data values and are not displayed in the control. (but are viewable in response or in page source)
-Columns D,E,F are marked as ScaffoldColumn(false) in the model and Hidden(true), Visible(false) in the grid control but still get sent in the response.
The best, most secure behavior would be for columns that are not included in the binding to not be sent to the browser/UI. In particular observing the ScaffoldColumn(false) attribute on the model would be optimal and in such cases those columns should not be included in server responses.
Is there a way to accomplish this currently and if not can an enhancement to the controls be included in the near future?
3 Answers, 1 is accepted
0
Demon
Top achievements
Rank 1
Rank 1
answered on 28 Jun 2011, 02:15 PM
Hi, you can use a viewmodel to prevent unwanted information from being sent to the client.
0
Louis
Top achievements
Rank 1
Rank 1
answered on 28 Jun 2011, 02:24 PM
I am looking for a solution that doesn't require a pattern where we need to create 2 (or more) versions of every model and do work to map data between them (ala Automapper or the like). There will be more complex cases that will require viewmodels but all that extra work shouldn't be required if I simply have 1 or 2 sensitive columns I want to keep from the browser.
In "old school' databinding with ASP.Net server controls this was a simple task to accomplish (only binding and sending the data columns desired).
In "old school' databinding with ASP.Net server controls this was a simple task to accomplish (only binding and sending the data columns desired).
0
Hi Louis,
Atanas Korchev
the Telerik team
Old school data binding in ASP.NET was purely server side. The model was never serialized to the client-side. The same thing will happen if you use the server side binding of the Telerik grid for ASP.NET MVC.
In ajax binding scenarios the datasource of the grid is serialized by the JavaScriptSerializer and returned as JsonResult. The only way to not serialize a property of the bound model is to decorate it with the ScriptIgnoreAttribute.
Atanas Korchev
the Telerik team
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Public Issue Tracking
system and vote to affect the priority of the items