Controller methods and views ================================================== By `Rick Anderson`_ We have a good start to the movie app, but the presentation is not ideal. We don't want to see the time on the release date and **ReleaseDate** should be two words. .. image:: working-with-sql/_static/m55.png Open the *Models/Movie.cs* file and add the highlighted lines shown below: .. literalinclude:: start-mvc/sample/src/MvcMovie/Models/MovieDate.cs :language: c# :lines: 7-18 :dedent: 4 :linenos: :emphasize-lines: 6-7 - Right click on a red squiggly line **> Quick Actions**. .. image:: controller-methods-views/_static/qa.png - Tap ``using System.ComponentModel.DataAnnotations;`` .. image:: controller-methods-views/_static/da.png Visual studio adds ``using System.ComponentModel.DataAnnotations;``. Let's remove the ``using`` statements that are not needed. They show up by default in a light grey font. Right click anywhere in the *Movie.cs* file **> Organize Usings > Remove Unnecessary Usings**. .. image:: controller-methods-views/_static/rm.png The completed is shown below: .. literalinclude:: start-mvc/sample/src/MvcMovie/Models/MovieDate.cs :language: c# :lines: 2-19 :dedent: 0 :linenos: :emphasize-lines: 2,11-12 .. TODO next version replace DataAnnotations links below with ASP.NET 5 version We'll cover `DataAnnotations `__ in the next tutorial. The `Display `__ attribute specifies what to display for the name of a field (in this case "Release Date" instead of "ReleaseDate"). The `DataType `__ attribute specifies the type of the data, in this case it's a date, so the time information stored in the field is not displayed. Browse to the ``Movies`` controller and hold the mouse pointer over an **Edit** link to see the target URL. .. image:: controller-methods-views/_static/edit7.png .. TODO move dave's A TH article to docs.asp.net - DP has agreed The **Edit**, **Details**, and **Delete** links are generated by the `MVC 6 Anchor Tag Helper `__ in the *Views/Movies/Index.cshtml* file. .. literalinclude:: start-mvc/sample/src/MvcMovie/Views/Movies/Index.cshtml :language: HTML :lines: 43-47 :dedent: 8 :linenos: :emphasize-lines: 2-4 :doc:`Tag Helpers ` enable server-side code to participate in creating and rendering HTML elements in Razor files. In the code above, the `Anchor Tag Helper `__ dynamically generates the HTML ``href`` attribute value from the controller action method and route id. You use **View Source** from your favorite browser or use the **F12** tools to examine the generated markup. The **F12** tools are shown below. .. image:: controller-methods-views/_static/f12.png Recall the format for routing set in the *Startup.cs* file. .. literalinclude:: start-mvc/sample/src/MvcMovie/Startup.cs :language: c# :linenos: :lines: 83-88 :dedent: 8 :emphasize-lines: 5 ASP.NET translates ``http://localhost:1234/Movies/Edit/4`` into a request to the ``Edit`` action method of the ``Movies`` controller with the parameter ``ID`` of 4. (Controller methods are also known as `action methods `__.) :doc:`/views/tag-helpers/index` are one of the most popular new features in ASP.NET 5. See `Additional resources`_ for more information. Open the ``Movies`` controller and examine the two ``Edit`` action methods: .. image:: controller-methods-views/_static/1.png .. literalinclude:: start-mvc/sample/src/MvcMovie/Controllers/MoviesController.cs :language: c# :lines: 62-89 :dedent: 8 :linenos: .. note:: The scaffolding engine generated code above has a serious `over-posting security vulnerability `__. Be sure you understand how to protect from over-posting before you publish your app. This security vulnerability should be fixed in the next release. Replace the ``HTTP POST Edit`` action method with the following: .. literalinclude:: start-mvc/sample/src/MvcMovie/Controllers/MoviesController.cs :language: c# :lines: 109-122 :dedent: 8 :linenos: :emphasize-lines: 5 The ``[Bind]`` attribute is one way to protect against `over-posting `__. You should only include properties in the ``[Bind]`` attribute that you want to change. Apply the ``[Bind]`` attribute to each of the ``[HttpPost]`` action methods. See `Protect your controller from over-posting `__ for more information. Notice the second ``Edit`` action method is preceded by the ``[HttpPost]`` attribute. .. literalinclude:: start-mvc/sample/src/MvcMovie/Controllers/MoviesController.cs :language: c# :lines: 109-122 :dedent: 8 :linenos: :emphasize-lines: 1-2 The ``[HttpPost]`` attribute specifies that this ``Edit`` method can be invoked *only* for ``POST`` requests. You could apply the ``[HttpGet]`` attribute to the first edit method, but that's not necessary because ``[HttpGet]`` is the default. The ``[ValidateAntiForgeryToken]`` attribute is used to prevent forgery of a request and is paired up with an anti-forgery token generated in the edit view file (*Views/Movies/Edit.cshtml*). The edit view file generates the anti-forgery token in the `Form Tag Helper `__. .. code-block:: HTML
The `Form Tag Helper `__ generates a hidden anti-forgery token that must match the ``[ValidateAntiForgeryToken]`` generated anti-forgery token in the ``Edit`` method of the Movies controller. For more information, see :doc:`../../security/anti-request-forgery`. The ``HttpGet Edit`` method takes the movie ``ID`` parameter, looks up the movie using the Entity Framework ``Single`` method, and returns the selected movie to the Edit view. If a movie cannot be found, ``HttpNotFound`` is returned. .. literalinclude:: start-mvc/sample/src/MvcMovie/Controllers/MoviesController.cs :language: c# :lines: 93-108 :dedent: 8 :linenos: When the scaffolding system created the Edit view, it examined the ``Movie`` class and created code to render ``