If we have the following controller action in Web API
public async Task<HttpResponseMessage> GetRoutes(
[FromUri] MapExtentQuery extent,
[FromUri] PagingQuery paging)
{
...
}
with
class MapExtentQuery {
public int X { get;set; }
public int Y { get; set; }
}
class PagingQuery {
public int Skip { get; set; }
public int Top { get; set; }
}
and we make a GET request to /routes both parameters (extent and paging) will be null.
If the request contains at least one querystring parameter, for instance
/routes?x=45
then both complex parameters will get initialized, so in the case of the 2nd route
extent.X = 45
extent.Y = 0
paging != null (but Skip and Top will be 0 of course).
Why does the [FromUri] binder work this way? It makes little or no sense.
I would understand if it initialized only the parameter that contains a property that matched at least one of the querystring values.
The problem is, this behaviour requires us to check when parameters are null (which happens only in the case that no querystring parameter was provided) and then initiliaze them ourselves.
Because obviously those complex params might have constructors which would set some property values to default.
It is because when you do not have query string and the parameters have FromUri attribute, the parser for the query string does not run and all values are not binded - you receive null.
If you have query string, the binder runs and instantiates all FromUri parameters and primitive types with their default values and then tries to fill in the properties from the query string values. This leaves you with two instantiated parameters but only one having the populated value because that is all the query string has.
As for why it works this way - most likely performance - this way they will not need to find which parameters they need to instantiate - they instantiate all of them and then find the properties. It is faster and performance is critical in the action and model binding.
Related
My .NET Core 3.1 WebApi controller PUT action is found and execute even if it should not. I have request data object with 2 properties in [FromBody] parameter. But if I call this route with absolutely different properties in the request Body, or no properties at all - it stil seems to be OK and Action is executed, just properties have default values for its types. I expected 400 Bad Request.
public class UpdateLogRequestData
{
[Required]
public int Records { get; set; }
[Required]
public int LogStatusId { get; set; }
}
Controller Action:
[HttpPut]
[Route("{logId:int}")]
public IActionResult UpdateLog(
[FromRoute] int logId,
[FromBody] UpdateLogRequestData requestData)
{
if (!this.ModelState.IsValid)
{
return this.BadRequest(this.ModelState);
}
...
}
I tried to add [Required] attributes and ModelState validation later when I noticed the Action is executed even by "bad request" - ie request with incorrectly named properties. Properties in UpdateLogRequestData just have 0 as their values (int default value).
It is dangerous behavior since I update records in the DB. And now, if someone sends the request without Records and LogStatusId properties, database will be updated with zeroes.
Why controller doesn't check it? It's the first time I see something like this. Why no Bad Request happens in that case?
So after deep digging in the Microsoft documentation I have found that validation in Web API has been changed since version .NET Core 3. For those with the same problem here is how ti works.
Web API controllers don't have to check ModelState.IsValid if they
have the [ApiController] attribute. In that case, an automatic HTTP
400 response containing error details is returned when model state is
invalid. For more information, see Automatic HTTP 400 responses.
[Required] validation on the server. On the server, a required value is
considered missing if the property is null. A non-nullable field is
always valid, and the [Required] attribute's error message is never
displayed.
However, model binding for a non-nullable property may fail, resulting
in an error message such as The value '' is invalid. To specify a
custom error message for server-side validation of non-nullable types,
you have the following options:
Make the field nullable (for example, decimal? instead of decimal).
Nullable value types are treated like standard nullable types.
OR
Specify the default error message to be used by model binding, as
shown in the following example:
services.AddRazorPages()
.AddMvcOptions(options =>
{
options.MaxModelValidationErrors = 50;
options.ModelBindingMessageProvider.SetValueMustNotBeNullAccessor(
_ => "The field is required.");
});
services.AddSingleton<IValidationAttributeAdapterProvider,
CustomValidationAttributeAdapterProvider>();
See the line
options.ModelBindingMessageProvider.SetValueMustNotBeNullAccessor(
_ => "The field is required.");
Make those value types nullable so that they do not default to the non-null default values when omitted in the request body.
public class UpdateLogRequestData {
[Required]
public int? Records { get; set; }
[Required]
public int? LogStatusId { get; set; }
}
In my model I have an nullable int.
In the view I have an input of type 'number'.
The problem is that the user could possibly input a number larger than the maximum possible integer value, which results in the following error:
The value [value] is not valid for [field]
I want to change this message, and putting a [Range(...)] validation on the attribute does not help, as non of my validations are being called, because the framework cannot parse the value to an int.
--------- EDIT ---------
My validations perform normally at normal input as shown here:
What I mean about my validations not being called is that I've read that the if the framework fails to parse the value to an int (because the value exceeds the max value of an integer), it ignores any further "unnecessary" validation.
Therefore my Range validation is ignored, as shown here:
I've tried creating a custom ValidationAttribute, but that has the same behaviour (Being called correctly at normal integer input, but is ignored at overflowing integer input)
--------- /EDIT ---------
All the solutions I have seen, proposes binding a custom resource file, in which I could override the default message for invalid values.
But I want to be able to specify a custom message at each attribute in case of an invalid value.
I thought about using strings instead of ints, and creating a custom ValidationAttribute which tries to parse it to an int.
Are there any alternatives?
// EDIT: I could avoid this problem (to some degree) by having client-side validation - But I want to know if it is possible from the server-side, in case of someone editing the html and forcing a higher value
There is couple of ways in which you can validate user input:
proper usage of Data Annotations - you could take a look here: http://www.asp.net/mvc/overview/older-versions/mvc-music-store/mvc-music-store-part-6 and here: https://msdn.microsoft.com/en-us/library/ee256141(v=vs.100).aspx
usage of jQuery Validation - http://jqueryvalidation.org/
Here is an example of custom validation attribute:
public class MyIntegerValidationAttribute : ValidationAttribute
{
public string[] PropertyNames { get; }
public MyIntegerValidationAttribute(params string[] propertyNames)
{
PropertyNames = propertyNames;
}
protected override ValidationResult IsValid(object value, ValidationContext validationContext)
{
var properties = this.PropertyNames.Select(validationContext.ObjectType.GetProperty);
//here you have values of your properties
var values = properties.Select(p => p.GetValue(validationContext.ObjectInstance, null)).OfType<int>();
if (YOUR_CUSTOM_CONDITION)
{
return new ValidationResult(this.FormatErrorMessage(validationContext.DisplayName));
}
return null;
}
}
public class ViewModel
{
[MyIntegerValidationAttribute("B", "C", ErrorMessage = "My error message")]
public int A { get; set; }
public int B { get; set; }
public int C { get; set; }
}
I have a PUT method in web api which accepts a JSON data and a route data as follows.
[Route("api/v1/Orders/{orderId}/active")]
public HttpResponseMessage Put(Guid? orderId,List<ActiveRequest> activeRequests)
{
}
public class ActiveRequest
{
public int Id { get; set; }
public bool IsActive { get; set; }
}
Now is it possible to simplify the method signature as:
[Route("api/v1/Orders/{orderId}/active")]
public HttpResponseMessage Put(ActiveRequestModel model)
{
}
public class ActiveRequestModel
{
public Guid OrderId { get; set; }
public List<ActiveRequest> ActiveRequests {get; set;}
}
I tried writing a custom ModelBinder by implementing the System.Web.Http.ModelBinding.IModelBinder interface but could'nt find a way to read the JSON data that is coming inside the Request object.
I doubt that is there a way by which I can bind my model with data coming from three different places i.e. from route data, json & form.
You cannot simplify the parameter as described.
Unlike MVC model binding, beacuse of how the Web API formatter works, in Web API you only can have a single parameter that is deserialized from the payload, and a number of simple type parameters coming from route parameters or url query string. The reason is that the creation of the parameter coming from the payload is done in a single pass deserialization of the payload.
So, for your example you need the two parameters in your original version, i.e.:
public HttpResponseMessage Put(Guid? orderId, List<ActiveRequest> activeRequests)
If you want to use the ActiveRequestModel you need to include a payload which has exactly the same structure, so you should include the orderId in the payload, because it will not be recovered from the url (even if the name matches).
Please, read this article which explains how parameter binding works in Web API:
Parameter Binding in ASP.NET Web API
If you read it thoroughly you'll see that you can create and register your own model binder to make it work the same way that an MVC controller, but I think it's not worth the effort (so I include it only in this last paragraph), and it's not the standard way of working.
I just read this post by Dave Ward (http://encosia.com/using-jquery-to-post-frombody-parameters-to-web-api/), and I'm trying to throw together a simple web api controller that will accept a viewmodel, and something just isn't clicking for me.
I want my viewmodel to be an object with a couple DateTime properties:
public class DateRange
{
public DateTime Start { get; set; }
public DateTime End { get; set; }
}
Without changing anything in the stock web api project, I edit my values controller to this:
public IEnumerable<float> Get()
{
DateRange range = new DateRange()
{
Start = DateTime.Now.AddDays(-1),
End = DateTime.Now
};
return Repo.Get(range);
}
// GET api/values/5
public IEnumerable<float> Get(DateRange id)
{
return Repo.Get(range);
}
However, when I try to use this controller, I get this error:
Multiple actions were found that match the request:
System.Collections.Generic.IEnumerable1[System.Single] Get() on type FEPIWebService.Controllers.ValuesController
System.Collections.Generic.IEnumerable1[System.Single] Get(FEPIWebService.Models.DateRange) on type FEPIWebService.Controllers.ValuesController
This message appears when I hit
/api/values
or
/api/values?start=01/01/2013&end=02/02/2013
How can I solve the ambiguity between the first and second get actions?
For further credit, if I had this action
public void Post(DateRange value)
{
}
how could I post the Start and End properties to that object using jQuery so that modelbinding would build up the DateRange parameter?
Thanks!
Chris
The answer is in detail described here: Routing and Action Selection. The Extract
With that background, here is the action selection algorithm.
Create a list of all actions on the controller that match the HTTP request method.
If the route dictionary has an "action" entry, remove actions whose name does not match this value.
Try to match action parameters to the URI, as follows:
For each action, get a list of the parameters that are a simple type, where the binding gets the parameter from the URI. Exclude
optional parameters.
From this list, try to find a match for each parameter name, either in the route dictionary or in the URI query string. Matches are
case insensitive and do not depend on the parameter order.
Select an action where every parameter in the list has a match in the URI.
If more that one action meets these criteria, pick the one with the most parameter matches.
4.Ignore actions with the [NonAction] attribute.
Other words, The ID parameter you are using, is not SimpleType, so it does not help to decide which of your Get methods to use. Usually the Id is integer or guid..., then both methods could live side by side
If both of them would return IList<float>, solution could be to omit one of them:
public IEnumerable<float> Get([FromUri]DateRange id)
{
range = range ?? new DateRange()
{
Start = DateTime.Now.AddDays(-1),
End = DateTime.Now
};
return Repo.Get(range);
}
And now both will work
/api/values
or
/api/values?Start=2011-01-01&End=2014-01-01
In my ASP.NET MVC 2 web application, I allow users to create custom input fields of different data types to extend our basic input form. While tricky, building the input form from a collection of custom fields is straight-forward enough.
However, I'm now to the point where I want to handle the posting of this form and I'm not certain what the best way to handle this would be. Normally, we'd use strongly-typed input models that get bound from the various statically-typed inputs available on the form. However, I'm at a loss for how to do this with a variable number of input fields that represent different data types.
A representative input form might look something like:
My date field: [ date time input
control ]
My text field: [ text input
field ]
My file field: [ file upload
control ]
My number field: [ numerical input control ]
My text field 2: [text input field ]
etc...
Ideas I've thought about are:
Sending everything as strings (except for the file inputs, which would need to be handled specially).
Using a model with an "object" property and attempting to bind to that (if this is even possible).
Sending a json request to my controller with the data encoded properly and attempting to parse that.
Manually processing the form collection in my controller post action - certainly an option, but I'd love to avoid this.
Has anyone tackled an issue like this before? If so, how did you solve it?
Update:
My "base" form is handled on another input area all together, so a solution doesn't need to account for any sort of inheritence magic for this. I'm just interested in handling the custom fields on this interface, not my "base" ones.
Update 2:
Thank you to ARM and smartcaveman; both of you provided good guidance for how this could be done. I will update this question with my final solution once its been implemented.
This is how I would begin to approach the issue. A custom model binder would be pretty easy to build based on the FormKey property (which could be determined by the index and/or label, depending).
public class CustomFormModel
{
public string FormId { get; set; }
public string Label { get; set; }
public CustomFieldModel[] Fields { get; set; }
}
public class CustomFieldModel
{
public DataType DateType { get; set; } // System.ComponentModel.DataAnnotations
public string FormKey { get; set; }
public string Label { get; set; }
public object Value { get; set; }
}
public class CustomFieldModel<T> : CustomFieldModel
{
public new T Value { get; set; }
}
Also, I noticed one of the comments below had a filtered model binder system. Jimmy Bogard from Automapper made a really helpful post about this method at http://www.lostechies.com/blogs/jimmy_bogard/archive/2009/03/17/a-better-model-binder.aspx , and later revised in, http://www.lostechies.com/blogs/jimmy_bogard/archive/2009/11/19/a-better-model-binder-addendum.aspx . It has been very helpful for me in building custom model binders.
Update
I realized that I misinterpreted the question, and that he was specifically asking how to handle posting of the form "with a variable number of input fields that represent different data types". I think the best way to do this is to use a structure similar to above but leverage the Composite Pattern. Basically, you will need to create an interface like IFormComponent and implement it for each datatype that would be represented. I wrote and commented an example interface to help explain how this would be accomplished:
public interface IFormComponent
{
// the id on the html form field. In the case of a composite Id, that doesn't have a corresponding
// field you should still use something consistent, since it will be helpful for model binding
// (For example, a CompositeDateField appearing as the third field in the form should have an id
// something like "frmId_3_date" and its child fields would be "frmId_3_date_day", "frmId_3_date_month",
// and "frmId_3_date_year".
string FieldId { get; }
// the human readable field label
string Label { get; }
// some functionality may require knowledge of the
// Parent component. For example, a DayField with a value of "30"
// would need to ask its Parent, a CompositeDateField
// for its MonthField's value in order to validate
// that the month is not "February"
IFormComponent Parent { get; }
// Gets any child components or null if the
// component is a leaf component (has no children).
IList<IFormComponent> GetChildren();
// For leaf components, this method should accept the AttemptedValue from the value provider
// during Model Binding, and create the appropriate value.
// For composites, the input should be delimited in someway, and this method should parse the
// string to create the child components.
void BindTo(string value);
// This method should parse the Children or Underlying value to the
// default used by your business models. (e.g. a CompositeDateField would
// return a DateTime. You can get type safety by creating a FormComponent<TValue>
// which would help to avoid issues in binding.
object GetValue();
// This method would render the field to the http response stream.
// This makes it easy to render the forms simply by looping through
// the array. Implementations could extend this for using an injected
// formatting
void Render(TextWriter writer);
}
I am assuming that the custom forms can be accessed via some sort of id which can be contained as a form parameter. With that assumption, the model binder and provider could look something like this.
public interface IForm : IFormComponent
{
Guid FormId { get; }
void Add(IFormComponent component);
}
public interface IFormRepository
{
IForm GetForm(Guid id);
}
public class CustomFormModelBinder : IModelBinder
{
private readonly IFormRepository _repository;
public object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
{
ValueProviderResult result;
if(bindingContext.ValueProvider.TryGetValue("_customFormId", out result))
{
var form = _repository.GetForm(new Guid(result.AttemptedValue));
var fields = form.GetChildren();
// loop through the fields and bind their values
return form;
}
throw new Exception("Form ID not found.");
}
}
Obviously, all the code here is just to get the point across, and would need to be completed and cleaned up for actual use. Also, even if completed this would only bind to an implementation of the IForm interface, not a strongly typed business object. (It wouldn't be a huge step to convert it to a dictionary and build a strongly typed proxy using the Castle DictionaryAdapter, but since your users are dynamically creating the forms on the site, there is probably no strongly typed model in your solution and this is irrelevant). Hope this helps more.
Take a peek at what I did here: MVC2 Action to handle multiple models and see if can get you on the right track.
If you use a FormCollection as one of your parameters to your action, you can then go thru that form collection looking for bits of data here or there in order to bind those values to whatever an then save the data. You are most likely going to need to take advantage of both strategy and command patterns to get this to work.
Best of luck, feel free to ask follow-up questions.
Edit:
Your method which does the work should look something like this:
private/public void SaveCustomFields(var formId, FormCollection collection) //var as I don't know what type you are using to Id the form.
{
var binders = this.binders.select(b => b.CanHandle(collection)); //I used IOC to get my list of IBinder objects
// Method 1:
binders.ForEach(b => b.Save(formId, collection)); //This is the execution implementation.
// Method 2:
var commands = binders.Select(b => b.Command(formId, collection));
commands.ForEach(c => c.Execute());
}
public DateBinder : IBinder //Example binder
{
public bool CanHandle(FormCollection collection)
{
return (null != collection["MyDateField"]); //Whatever the name of this field is.
}
//Method 1
public void Save(var formId, FormCollection collection)
{
var value = DateTime.Parse(collection["MyDateField"]);
this.someLogic.Save(formId, value); //Save the value with the formId, or however you wish to save it.
}
//Method 2
public Command Command(var formId, FormCollection collection)
{
//I haven't done command pattern before so I'm not sure exactly what to do here.
//Sorry that I can't help further than that.
}
}
I would think one of the best options is to create a custom model binder, which makes it possible to have custom logic behind the scenes and still very customizable code behind.
Maybe these articles can help you:
http://www.gregshackles.com/2010/03/templated-helpers-and-custom-model-binders-in-asp-net-mvc-2/
http://www.singingeels.com/Articles/Model_Binders_in_ASPNET_MVC.aspx
More specifically I would probably take as the controller argument a custom class with all "base" properties included. The class could then for example include a dictionary linking the name of each field to either just an object or an interface which you implement once for each data-type making it simple to process the data later.
/Victor