Close this search box.

The security benefit of using presentation models

Presentation models, or screen-bound DTOs, are are lightweight classes tailored to the needs of the screens on which they are used. The obvious benefit is that they remove some of the work required to translate between domain model objects and user interface elements. Work that is usually performed by the view and controller in an MVC context.

A secondary benefit of presentation models is that they explicity define what can be bound to domain model objects. Automatic binding such as MVC’s ComplexModelBinder and UpdateModel method can potentially allow a malicious user to bind data to properties that the developer didnt intent. For example when saving their profile they could add an extra form parameter called ‘Role’ and set its value to ‘SuperUser’. If the controller is using ComplexModelBinder or UpdateModel and the domain model object has a property called ‘Role’ then it could well receive the unintended ‘SuperUser’ value. Because the presentation model would not have a writable property called ‘Role’ it would prevent this exploit.

In the pursuit of simplified views and controllers I am starting to use presentation models more often. The security benefit is just another justification to overcome the extra work.

This article is part of the GWB Archives. Original Author: Liam McLennan

Related Posts