From 5dada9eb2bab2df29ba13c054329ba7986831ee3 Mon Sep 17 00:00:00 2001 From: Rick Anderson Date: Wed, 8 Nov 2017 10:37:06 -1000 Subject: [PATCH] Update live with current master (#4741) * Tabbifying script examples per OS (#4735) * Command line deployment * typo fix * edits per review * increased visibility of 'pub to azure' scenarios * removed copy/paste debris * Tabbified the local code segments * fixed merge whoops * attempting to fix TOC * Fixed toc xref * Update implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application.md (#4745) * Update adding-controller1.md (#4747) * Update adding-controller1.md * Update adding-controller1.md * Update publish-to-azure-webapp-using-vs.md (#4746) --- ...ty-framework-in-asp-net-mvc-application.md | 79 +++++++++---------- .../includes/mvc-intro/adding-controller1.md | 3 +- .../publish-to-azure-webapp-using-cli.md | 35 ++++++++ .../publish-to-azure-webapp-using-vs.md | 4 +- 4 files changed, 77 insertions(+), 44 deletions(-) diff --git a/aspnet/mvc/overview/getting-started/getting-started-with-ef-using-mvc/implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application.md b/aspnet/mvc/overview/getting-started/getting-started-with-ef-using-mvc/implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application.md index 7a3f14dd97..49c209ebe8 100644 --- a/aspnet/mvc/overview/getting-started/getting-started-with-ef-using-mvc/implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application.md +++ b/aspnet/mvc/overview/getting-started/getting-started-with-ef-using-mvc/implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application.md @@ -46,29 +46,27 @@ The scaffolded code for the Students `Index` page left out the `Enrollments` pro The key value is passed to the method as the `id` parameter and comes from *route data* in the **Details** hyperlink on the Index page. -> [!TIP] -> -> **Route data** -> -> Route data is data that the model binder found in a URL segment specified in the routing table. For example, the default route specifies `controller`, `action`, and `id` segments: -> -> [!code-csharp[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample2.cs?highlight=3)] -> -> In the following URL, the default route maps `Instructor` as the `controller`, `Index` as the `action` and 1 as the `id`; these are route data values. -> -> `http://localhost:1230/Instructor/Index/1?courseID=2021` -> -> "?courseID=2021" is a query string value. The model binder will also work if you pass the `id` as a query string value: -> -> `http://localhost:1230/Instructor/Index?id=1&CourseID=2021` -> -> The URLs are created by `ActionLink` statements in the Razor view. In the following code, the `id` parameter matches the default route, so `id` is added to the route data. -> -> [!code-cshtml[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample3.cshtml)] -> -> In the following code, `courseID` doesn't match a parameter in the default route, so it's added as a query string. -> -> [!code-cshtml[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample4.cshtml)] +### Tip: **Route data** + +Route data is data that the model binder found in a URL segment specified in the routing table. For example, the default route specifies `controller`, `action`, and `id` segments: + +[!code-csharp[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample2.cs?highlight=3)] + +In the following URL, the default route maps `Instructor` as the `controller`, `Index` as the `action` and 1 as the `id`; these are route data values. + +`http://localhost:1230/Instructor/Index/1?courseID=2021` + +"?courseID=2021" is a query string value. The model binder will also work if you pass the `id` as a query string value: + +`http://localhost:1230/Instructor/Index?id=1&CourseID=2021` + +The URLs are created by `ActionLink` statements in the Razor view. In the following code, the `id` parameter matches the default route, so `id` is added to the route data. + +[!code-cshtml[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample3.cshtml)] + +In the following code, `courseID` doesn't match a parameter in the default route, so it's added as a query string. + +[!code-cshtml[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample4.cshtml)] 1. Open *Views\Student\Details.cshtml*. Each field is displayed using a `DisplayFor` helper, as shown in the following example: @@ -99,24 +97,23 @@ The key value is passed to the method as the `id` parameter and comes from *rout - > [!WARNING] - > Security - The `ValidateAntiForgeryToken` attribute helps prevent [cross-site request forgery](../../security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages.md) attacks. It requires a corresponding `Html.AntiForgeryToken()` statement in the view, which you'll see later. - > - > The `Bind` attribute is one way to protect against *over-posting* in create scenarios. For example, suppose the `Student` entity includes a `Secret` property that you don't want this web page to set. - > - > [!code-csharp[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample8.cs?highlight=7)] - > - > Even if you don't have a `Secret` field on the web page, a hacker could use a tool such as [fiddler](http://fiddler2.com/home), or write some JavaScript, to post a `Secret` form value. Without the [Bind](https://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute(v=vs.108).aspx) attribute limiting the fields that the model binder uses when it creates a `Student` instance*,* the model binder would pick up that `Secret` form value and use it to create the `Student` entity instance. Then whatever value the hacker specified for the `Secret` form field would be updated in your database. The following image shows the fiddler tool adding the `Secret` field (with the value "OverPost") to the posted form values. - > - > ![](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/_static/image5.png) - > - > The value "OverPost" would then be successfully added to the `Secret` property of the inserted row, although you never intended that the web page be able to set that property. - > - > It's a security best practice to use the `Include` parameter with the `Bind` attribute to *whitelist* fields. It's also possible to use the `Exclude` parameter to *blacklist* fields you want to exclude. The reason `Include` is more secure is that when you add a new property to the entity, the new field is not automatically protected by an `Exclude` list. - > - > You can prevent overposting in edit scenarios is by reading the entity from the database first and then calling `TryUpdateModel`, passing in an explicit allowed properties list. That is the method used in these tutorials. - > - > An alternative way to prevent overposting that is preferred by many developers is to use view models rather than entity classes with model binding. Include only the properties you want to update in the view model. Once the MVC model binder has finished, copy the view model properties to the entity instance, optionally using a tool such as [AutoMapper](http://automapper.org/). Use db.Entry on the entity instance to set its state to Unchanged, and then set Property("PropertyName").IsModified to true on each entity property that is included in the view model. This method works in both edit and create scenarios. +### Security warning - The `ValidateAntiForgeryToken` attribute helps prevent [cross-site request forgery](../../security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages.md) attacks. It requires a corresponding `Html.AntiForgeryToken()` statement in the view, which you'll see later. + +The `Bind` attribute is one way to protect against *over-posting* in create scenarios. For example, suppose the `Student` entity includes a `Secret` property that you don't want this web page to set. + +[!code-csharp[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample8.cs?highlight=7)] + +Even if you don't have a `Secret` field on the web page, a hacker could use a tool such as [fiddler](http://fiddler2.com/home), or write some JavaScript, to post a `Secret` form value. Without the [Bind](https://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute(v=vs.108).aspx) attribute limiting the fields that the model binder uses when it creates a `Student` instance*,* the model binder would pick up that `Secret` form value and use it to create the `Student` entity instance. Then whatever value the hacker specified for the `Secret` form field would be updated in your database. The following image shows the fiddler tool adding the `Secret` field (with the value "OverPost") to the posted form values. + +![](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/_static/image5.png) + +The value "OverPost" would then be successfully added to the `Secret` property of the inserted row, although you never intended that the web page be able to set that property. + +It's a security best practice to use the `Include` parameter with the `Bind` attribute to *whitelist* fields. It's also possible to use the `Exclude` parameter to *blacklist* fields you want to exclude. The reason `Include` is more secure is that when you add a new property to the entity, the new field is not automatically protected by an `Exclude` list. + +You can prevent overposting in edit scenarios is by reading the entity from the database first and then calling `TryUpdateModel`, passing in an explicit allowed properties list. That is the method used in these tutorials. + +An alternative way to prevent overposting that is preferred by many developers is to use view models rather than entity classes with model binding. Include only the properties you want to update in the view model. Once the MVC model binder has finished, copy the view model properties to the entity instance, optionally using a tool such as [AutoMapper](http://automapper.org/). Use db.Entry on the entity instance to set its state to Unchanged, and then set Property("PropertyName").IsModified to true on each entity property that is included in the view model. This method works in both edit and create scenarios. Other than the `Bind` attribute, the `try-catch` block is the only change you've made to the scaffolded code. If an exception that derives from [DataException](https://msdn.microsoft.com/en-us/library/system.data.dataexception.aspx) is caught while the changes are being saved, a generic error message is displayed. [DataException](https://msdn.microsoft.com/en-us/library/system.data.dataexception.aspx) exceptions are sometimes caused by something external to the application rather than a programming error, so the user is advised to try again. Although not implemented in this sample, a production quality application would log the exception. For more information, see the **Log for insight** section in [Monitoring and Telemetry (Building Real-World Cloud Apps with Azure)](../../../../aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/monitoring-and-telemetry.md#log). diff --git a/aspnetcore/includes/mvc-intro/adding-controller1.md b/aspnetcore/includes/mvc-intro/adding-controller1.md index 1b352b267a..e723c03fe0 100644 --- a/aspnetcore/includes/mvc-intro/adding-controller1.md +++ b/aspnetcore/includes/mvc-intro/adding-controller1.md @@ -8,5 +8,4 @@ The Model-View-Controller (MVC) architectural pattern separates an app into thre The MVC pattern helps you create apps that separate the different aspects of the app (input logic, business logic, and UI logic), while providing a loose coupling between these elements. The pattern specifies where each kind of logic should be located in the app. The UI logic belongs in the view. Input logic belongs in the controller. Business logic belongs in the model. This separation helps you manage complexity when you build an app, because it enables you to work on one aspect of the implementation at a time without impacting the code of another. For example, you can work on the view code without depending on the business logic code. -We cover these concepts in this tutorial series and show you how to use them to build a movie app. The MVC project contains folders for the *Controllers* and *Views*. A *Models* folder will be added in a later step. - +We cover these concepts in this tutorial series and show you how to use them to build a movie app. The MVC project contains folders for the *Controllers* and *Views*. diff --git a/aspnetcore/tutorials/publish-to-azure-webapp-using-cli.md b/aspnetcore/tutorials/publish-to-azure-webapp-using-cli.md index 8696b578ab..f15107d987 100644 --- a/aspnetcore/tutorials/publish-to-azure-webapp-using-cli.md +++ b/aspnetcore/tutorials/publish-to-azure-webapp-using-cli.md @@ -12,6 +12,7 @@ ms.prod: asp.net-core ms.technology: aspnet ms.custom: mvc ms.devlang: dotnet +uid: tutorials/publish-to-azure-webapp-using-cli --- # Deploy an ASP.NET Core application to Azure App Service from the command line @@ -38,6 +39,7 @@ To complete this tutorial, you'll need: Create a new directory for the web application, create a new ASP.NET Core MVC application, and then run the website locally. +# [Windows](#tab/windows) ```cmd REM Create a new ASP.NET Core MVC application dotnet new razor -o MyApplication @@ -49,6 +51,19 @@ REM Run the application dotnet run ``` +# [Other](#tab/other) +```bash +# Create a new ASP.NET Core MVC application +dotnet new razor -o MyApplication + +# Change to the new directory that was just created +cd MyApplication + +# Run the application +dotnet run +``` +--- + ![Command line output](publish-to-azure-webapp-using-cli/_static/new_prj.png) Test the application by browsing to http://localhost:5000. @@ -94,6 +109,7 @@ You're ready to deploy from your local machine using Git. > [!NOTE] It's safe to ignore any warnings from Git about line endings. +# [Windows](#tab/windows) ```cmd REM Initialize the local Git repository git init @@ -111,6 +127,25 @@ REM Push the local repository to the remote git push azure master ``` +# [Other](#tab/other) +```bash +# Initialize the local Git repository +git init + +# Add the contents of the working directory to the repo +git add --all + +# Commit the changes to the local repo +git commit -a -m "Initial commit" + +# Add the URL as a Git remote repository +git remote add azure + +# Push the local repository to the remote +git push azure master +``` +--- + Git will prompt for the deployment credentials that were set earlier. After authenticating, the application will be pushed to the remote location, built, and deployed. ![Git deployment output](publish-to-azure-webapp-using-cli/_static/post_deploy.png) diff --git a/aspnetcore/tutorials/publish-to-azure-webapp-using-vs.md b/aspnetcore/tutorials/publish-to-azure-webapp-using-vs.md index f378019c26..e4c1399e8f 100644 --- a/aspnetcore/tutorials/publish-to-azure-webapp-using-vs.md +++ b/aspnetcore/tutorials/publish-to-azure-webapp-using-vs.md @@ -16,6 +16,8 @@ uid: tutorials/publish-to-azure-webapp-using-vs By [Rick Anderson](https://twitter.com/RickAndMSFT), [Cesar Blum Silveira](https://github.com/cesarbs), and [Rachel Appel](https://twitter.com/rachelappel) +See [Publish to Azure from Visual Studio for Mac](https://blog.xamarin.com/publish-azure-visual-studio-mac/) if you are working on a Mac. + ## Set up * Open a [free Azure account](https://aka.ms/K5y5yh) if you do not have one. @@ -179,4 +181,4 @@ When you have finished testing the app, go to the [Azure portal](https://portal. ### Next steps -* [Continuous Deployment to Azure with Visual Studio and Git](../publishing/azure-continuous-deployment.md) \ No newline at end of file +* [Continuous Deployment to Azure with Visual Studio and Git](../publishing/azure-continuous-deployment.md)