Controller methods and views¶

By Rick Anderson

We have a good start to the movie app, but the presentation is not ideal. We don’t want to see the time on the release date and ReleaseDate should be two words.

../../_images/m55.png

Open the Models/Movie.cs file and add the highlighted lines shown below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
public class Movie
{
    public int ID { get; set; }
    public string Title { get; set; }

    [Display(Name = "Release Date")]
    [DataType(DataType.Date)]
    public DateTime ReleaseDate { get; set; }
    public string Genre { get; set; }
    public decimal Price { get; set; }
}
  • Right click on a red squiggly line > Quick Actions.
../../_images/qa.png
  • Tap using System.ComponentModel.DataAnnotations;
../../_images/da.png

Visual studio adds using System.ComponentModel.DataAnnotations;.

Let’s remove the using statements that are not needed. They show up by default in a light grey font. Right click anywhere in the Movie.cs file > Organize Usings > Remove Unnecessary Usings.

../../_images/rm.png

The completed is shown below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
using System;
using System.ComponentModel.DataAnnotations;

namespace MvcMovie.Models
{
    public class Movie
    {
        public int ID { get; set; }
        public string Title { get; set; }

        [Display(Name = "Release Date")]
        [DataType(DataType.Date)]
        public DateTime ReleaseDate { get; set; }
        public string Genre { get; set; }
        public decimal Price { get; set; }
    }
}

We’ll cover DataAnnotations in the next tutorial. The Display attribute specifies what to display for the name of a field (in this case “Release Date” instead of “ReleaseDate”). The DataType attribute specifies the type of the data, in this case it’s a date, so the time information stored in the field is not displayed.

Browse to the Movies controller and hold the mouse pointer over an Edit link to see the target URL.

../../_images/edit7.png

The Edit, Details, and Delete links are generated by the MVC 6 Anchor Tag Helper in the Views/Movies/Index.cshtml file.

1
2
3
4
5
<td>
    <a asp-action="Edit" asp-route-id="@item.ID">Edit</a> |
    <a asp-action="Details" asp-route-id="@item.ID">Details</a> |
    <a asp-action="Delete" asp-route-id="@item.ID">Delete</a>
</td>

Tag Helpers enable server-side code to participate in creating and rendering HTML elements in Razor files. In the code above, the Anchor Tag Helper dynamically generates the HTML href attribute value from the controller action method and route id. You use View Source from your favorite browser or use the F12 tools to examine the generated markup. The F12 tools are shown below.

../../_images/f12.png

Recall the format for routing set in the Startup.cs file.

1
2
3
4
5
6
    app.UseMvc(routes =>
    {
        routes.MapRoute(
            name: "default",
            template: "{controller=Home}/{action=Index}/{id?}");
    });

ASP.NET translates http://localhost:1234/Movies/Edit/4 into a request to the Edit action method of the Movies controller with the parameter ID of 4. (Controller methods are also known as action methods.)

Tag Helpers are one of the most popular new features in ASP.NET 5. See Additional resources for more information.

Open the Movies controller and examine the two Edit action methods:

../../_images/11.png
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
public IActionResult Edit(int? id)
{
    if (id == null)
    {
        return HttpNotFound();
    }

    Movie movie = _context.Movie.Single(m => m.ID == id);
    if (movie == null)
    {
        return HttpNotFound();
    }
    return View(movie);
}

// POST: Movies/Edit/5
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Edit(Movie movie)
{
    if (ModelState.IsValid)
    {
        _context.Update(movie);
        _context.SaveChanges();
        return RedirectToAction("Index");
    }
    return View(movie);
}

Note

The scaffolding engine generated code above has a serious over-posting security vulnerability. Be sure you understand how to protect from over-posting before you publish your app. This security vulnerability should be fixed in the next release.

Replace the HTTP POST Edit action method with the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
// POST: Movies/Edit/6
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Edit(
    [Bind("ID,Title,ReleaseDate,Genre,Price")] Movie movie)
{
    if (ModelState.IsValid)
    {
        _context.Update(movie);
        _context.SaveChanges();
        return RedirectToAction("Index");
    }
    return View(movie);
}

The [Bind] attribute is one way to protect against over-posting. You should only include properties in the [Bind] attribute that you want to change. Apply the [Bind] attribute to each of the [HttpPost] action methods. See Protect your controller from over-posting for more information.

Notice the second Edit action method is preceded by the [HttpPost] attribute.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
// POST: Movies/Edit/6
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Edit(
    [Bind("ID,Title,ReleaseDate,Genre,Price")] Movie movie)
{
    if (ModelState.IsValid)
    {
        _context.Update(movie);
        _context.SaveChanges();
        return RedirectToAction("Index");
    }
    return View(movie);
}

The [HttpPost] attribute specifies that this Edit method can be invoked only for POST requests. You could apply the [HttpGet] attribute to the first edit method, but that’s not necessary because [HttpGet] is the default.

The [ValidateAntiForgeryToken] attribute is used to prevent forgery of a request and is paired up with an anti-forgery token generated in the edit view file (Views/Movies/Edit.cshtml). The edit view file generates the anti-forgery token in the Form Tag Helper.

<form asp-action="Edit">

The Form Tag Helper generates a hidden anti-forgery token that must match the [ValidateAntiForgeryToken] generated anti-forgery token in the Edit method of the Movies controller. For more information, see 🔧 Anti-Request Forgery.

The HttpGet Edit method takes the movie ID parameter, looks up the movie using the Entity Framework Single method, and returns the selected movie to the Edit view. If a movie cannot be found, HttpNotFound is returned.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
// GET: Movies/Edit/5
public IActionResult Edit(int? id)
{
    if (id == null)
    {
        return HttpNotFound();
    }

    Movie movie = _context.Movie.Single(m => m.ID == id);
    if (movie == null)
    {
        return HttpNotFound();
    }
    return View(movie);
}

When the scaffolding system created the Edit view, it examined the Movie class and created code to render <label> and <input> elements for each property of the class. The following example shows the Edit view that was generated by the visual studio scaffolding system:

@model MvcMovie.Models.Movie

@{
    ViewData["Title"] = "Edit";
}

<h2>Edit</h2>

<form asp-action="Edit">
    <div class="form-horizontal">
        <h4>Movie</h4>
        <hr />
        <div asp-validation-summary="ValidationSummary.ModelOnly" class="text-danger" />
        <input type="hidden" asp-for="ID" />
        <div class="form-group">
            <label asp-for="Genre" class="control-label col-md-2" />
            <div class="col-md-10">
                <input asp-for="Genre" class="form-control" />
                <span asp-validation-for="Genre" class="text-danger" />
            </div>
        </div>
        <div class="form-group">
            <label asp-for="Price" class="control-label col-md-2" />
            <div class="col-md-10">
                <input asp-for="Price" class="form-control" />
                <span asp-validation-for="Price" class="text-danger" />
            </div>
        </div>
        @*ReleaseDate and Title removed for brevity.*@
        
        <div class="form-group">
            <div class="col-md-offset-2 col-md-10">
                <input type="submit" value="Save" class="btn btn-default" />
            </div>
        </div>
    </div>
</form>

<div>
    <a asp-action="Index">Back to List</a>
</div>

@section Scripts {
    <script src="~/lib/jquery/dist/jquery.min.js"></script>
    <script src="~/lib/jquery-validation/jquery.validate.min.js"></script>
    <script src="~/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js"></script>
}

Notice how the view template has a @model MvcMovie.Models.Movie statement at the top of the file — this specifies that the view expects the model for the view template to be of type Movie.

The scaffolded code uses several Tag Helper methods to streamline the HTML markup. The Label Tag Helper displays the name of the field (“Title”, “ReleaseDate”, “Genre”, or “Price”). The Input Tag Helper renders an HTML <input> element. The Validation Tag Helpers displays any validation messages associated with that property.

Run the application and navigate to the /Movies URL. Click an Edit link. In the browser, view the source for the page. The generated HTML for the <form> element is shown below.

<form action="/Movies/Edit/7" method="post">
    <div class="form-horizontal">
        <h4>Movie</h4>
        <hr />
        <div class="text-danger" />
        <input type="hidden" data-val="true" data-val-required="The ID field is required." id="ID" name="ID" value="7" />
        <div class="form-group">
            <label class="control-label col-md-2" for="Genre" />
            <div class="col-md-10">
                <input class="form-control" type="text" id="Genre" name="Genre" value="Western" />
                <span class="text-danger field-validation-valid" data-valmsg-for="Genre" data-valmsg-replace="true" />
            </div>
        </div>
        <div class="form-group">
            <label class="control-label col-md-2" for="Price" />
            <div class="col-md-10">
                <input class="form-control" type="text" data-val="true" data-val-number="The field Price must be a number." data-val-required="The Price field is required." id="Price" name="Price" value="3.99" />
                <span class="text-danger field-validation-valid" data-valmsg-for="Price" data-valmsg-replace="true" />
            </div>
        </div>
        <!-- Markup removed for brevity -->
        <div class="form-group">
            <div class="col-md-offset-2 col-md-10">
                <input type="submit" value="Save" class="btn btn-default" />
            </div>
        </div>
    </div>
    <input name="__RequestVerificationToken" type="hidden" value="CfDJ8Inyxgp63fRFqUePGvuI5jGZsloJu1L7X9le1gy7NCIlSduCRx9jDQClrV9pOTTmqUyXnJBXhmrjcUVDJyDUMm7-MF_9rK8aAZdRdlOri7FmKVkRe_2v5LIHGKFcTjPrWPYnc9AdSbomkiOSaTEg7RU" />
</form>

The <input> elements are in an HTML <form> element whose action attribute is set to post to the /Movies/Edit/id URL. The form data will be posted to the server when the Save button is clicked. The last line before the closing </form> element shows the hidden XSRF token generated by the Form Tag Helper.

Processing the POST Request¶

The following listing shows the [HttpPost] version of the Edit action method.

// POST: Movies/Edit/6
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Edit(
    [Bind("ID,Title,ReleaseDate,Genre,Price")] Movie movie)
{
    if (ModelState.IsValid)
    {
        _context.Update(movie);
        _context.SaveChanges();
        return RedirectToAction("Index");
    }
    return View(movie);
}

The [ValidateAntiForgeryToken] attribute validates the hidden XSRF token generated by the anti-forgery token generator in the Form Tag Helper.

The ASP.NET MVC model binder takes the posted form values and creates a Movie object that’s passed as the movie parameter. The ModelState.IsValid method verifies that the data submitted in the form can be used to modify (edit or update) a Movie object. If the data is valid, the movie data is saved to the Movies collection of the database(ApplicationDbContext instance). The new movie data is saved to the database by calling the SaveChanges method of ApplicationDbContext. After saving the data, the code redirects the user to the Index action method of the MoviesController class, which displays the movie collection, including the changes just made.

As soon as the client side validation determines the values of a field are not valid, an error message is displayed. If you disable JavaScript, you won’t have client side validation but the server will detect the posted values that are not valid, and the form values will be redisplayed with error messages. Later in the tutorial we examine validation in more detail.

The Validation Tag Helper in the Views/Book/Edit.cshtml view template takes care of displaying appropriate error messages.

../../_images/val.png

All the HttpGet methods follow a similar pattern. They get a movie object (or list of objects, in the case of Index), and pass the model to the view. The Create method passes an empty movie object to the Create view. All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method. Modifying data in an HTTP GET method is a security risk, as described in the blog post ASP.NET MVC Tip #46 – Don’t use Delete Links because they create Security Holes. Modifying data in a HTTP GET method also violates HTTP best practices and the architectural REST pattern, which specifies that GET requests should not change the state of your application. In other words, performing a GET operation should be a safe operation that has no side effects and doesn’t modify your persisted data.