Geeks With Blogs
Liam McLennan
Presentation models, or screen-bound DTOs, are are lightweight classes tailored to the needs of the screens on which they are used. The obvious benefit is that they remove some of the work required to translate between domain model objects and user interface elements. Work that is usually performed by the view and controller in an MVC context.

A secondary benefit of presentation models is that they explicity define what can be bound to domain model objects. Automatic binding such as MVC's ComplexModelBinder and UpdateModel method can potentially allow a malicious user to bind data to properties that the developer didnt intent. For example when saving their profile they could add an extra form parameter called 'Role' and set its value to 'SuperUser'. If the controller is using ComplexModelBinder or UpdateModel and the domain model object has a property called 'Role' then it could well receive the unintended 'SuperUser' value. Because the presentation model would not have a writable property called 'Role' it would prevent this exploit.

In the pursuit of simplified views and controllers I am starting to use presentation models more often. The security benefit is just another justification to overcome the extra work. Posted on Monday, January 19, 2009 7:05 PM | Back to top

Copyright © Liam McLennan | Powered by: