How can i prevent some values from being updated if i am passing an object to the model binder

Question

I have an object named Visit with the following properties:-

Note DoctorID VisitTypeID CreatedBy Date VisitID PatientID StatusID Timestamp

In the Edit view the user can only edit the following two properties :- Note DoctorID So i have added the other properties as hidden field in my edit view as follow:-

    @using (Html.BeginForm()) {
        @Html.ValidationSummary(true)
        <fieldset>
            <legend>Visit</legend>
            <div class="editor-label">
                @Html.LabelFor(model => model.Note)
            </div>
            <div class="editor-field">
                @Html.EditorFor(model => model.Note)
                @Html.ValidationMessageFor(model => model.Note)
            </div>

            <div class="editor-label">
                @Html.LabelFor(model => model.DoctorID)
            </div>
            <div class="editor-field">
                @Html.DropDownList("DoctorID", String.Empty)
                @Html.ValidationMessageFor(model => model.DoctorID)
            </div>

            <p>
              @Html.HiddenFor(model => model.VisitTypeID)
              @Html.HiddenFor(model => model.CreatedBy)
              @Html.HiddenFor(model => model.Date)
              @Html.HiddenFor(model => model.VisitID)
              @Html.HiddenFor(model => model.PatientID)
              @Html.HiddenFor(model => model.StatusID)
              @Html.HiddenFor(model => model.timestamp)

            <input type="submit" value="Create" />

I haveto include all the properties in my edit view since i am passing a Visit object to my post edit action method,, which looks as follow:-

  [HttpPost]
            public ActionResult Edit(Visit visit)
            {
                if (!(visit.Editable(User.Identity.Name)))
                {
                    return View("NotFound");
                }
                try
                {
                    if (ModelState.IsValid)
                    {
                        repository.UpdateVisit(visit);
                        repository.Save();
                        return RedirectToAction("Index");
                    }
                }
                catch (DbUpdateConcurrencyException ex)
                {
    var entry = ex.Entries.Single();
                    var clientValues = (Visit)entry.Entity;

                    ModelState.AddModelError(string.Empty, "The record you attempted to edit "
                    + "was modified by another user after you got the original value. The "

    //code goes here

So i am worried about the above approach for these reasons:- 1. an attacker might modify the hiddenfields values. 2. i can not define a [Bind(Include = "....")] at my Visit model class.

So i am unable to decide if i should continue using this approach OR there is a better approach to follow

Answer 1

You could potentially re-pull the Visit object in your controller then carry over only the two fields you wish to populate. That would secure that only those two fields are edited.

Visit existingVisit = /* retrieve Visit */;
existingVisit.Note = visit.Note;
existingVisit.DoctorID = visit.DoctorID;
repostistory.Update(existingVisit);
reposistory.SaveChanges();

However, I may event take it a step further and create a view model for that specific action which would only include the fields you're concerned with.