-2

Pretty much all literature I've read on ASP.NET MVC over the years describes ModelState.IsValid as something that comes into play only with HTTP POST action methods. I understand this is the convention, but would assume ModelState.IsValid is also assigned -- and should be checked as necessary -- in HTTP GET action methods that involve model binding. Can anyone confirm this?

Pancake
  • 739
  • 1
  • 5
  • 20
  • 4
    Because you shouldn't be doing updates with GET requests. – Jasen May 02 '17 at 01:37
  • Who said anything about updates? – Pancake May 02 '17 at 01:40
  • 1
    Elaborate for a better answer, what would you be doing besides an update? – Trevor Hart May 02 '17 at 01:49
  • The `DefaultModelBinder` adds values to `ModelState` (from the parameters in you method) for both `HttpGet` and `HttpPost` methods (if you have a model as a parameter in a `HttpGet` method (generally your should not) and that model contains validation attributes and the query string or route values are not valid, then `ModelState` will be invalid. –  May 02 '17 at 02:08
  • @StephenMuecke, thank you for taking the time to read the question and your thoughtful answer. Since any parameter or sequence of parameters would qualify as a model (and in most cases could potentially fail validation), I'm going to take your answer as a "yes". Do you have a citation? – Pancake May 02 '17 at 02:17
  • "describes ModelState.IsValid as something that comes into play only with HTTP POST action methods" This isn't true. The model binder works with query parameters for get requests. –  May 02 '17 at 02:18
  • 3
    Inspect the source code, but its not that hard to test :). Just create a simple model with one `string` property with a `[Required]` attribute, add it as a parameter to one of your `[HttpGet]` methods, navigate to it and check `ModelState.IsValid` –  May 02 '17 at 02:20
  • But just having a say `string xxx` parameter in your method wont make `ModelState` invalid because the parameter on its own does not have any validation attributes applied - it needs to be a model –  May 02 '17 at 02:22
  • Thanks for the reply @Amy. The gap in documentation with regard to ModelState.IsValid in HTTP GET scenarios is actually true, likely because most people (like my downvoting friend) don't use the framework beyond remedial scenarios. Also, my question is specific to ModelState.IsValid, not the act of model binding itself, which obviously happens on GET actions. Any citation you can provide with regard to ModelState.IsValid would be greatly appreciated. – Pancake May 02 '17 at 02:25
  • @StephenMuecke - true, but "decimal d" would make it invalid, if you attempt to bind a value like "1,000" with the DefaultModelBinder. – Pancake May 02 '17 at 02:26
  • 1
    No, It would throw an exception before the `DefaultModelBinder` code is even run –  May 02 '17 at 02:30
  • @StephenMuecke, this is a reasonable assumption but it's actually not true. Besides, what would be throwing the exception if not the model binder? What actually happens here is that ModelState.IsValid is set to false, and no exception is thrown. See here: http://stackoverflow.com/questions/26849177/viewdata-modelstate-isvalid-is-false-because-mvc-cant-parse-value-which-has-sep .. different scenario but illustrates the point. – Pancake May 02 '17 at 02:39
  • 1
    Wrong. An exception will be thrown - _The parameters dictionary contains a ....._ –  May 02 '17 at 02:45
  • @StephenMuecke - my mistake, I meant type INullable. Just tested, no exception thrown, ModelState.IsValid = false. So your assertion that "having a ... parameter in your method wont make ModelState invalid because the parameter on its own does not have any validation attributes applied" is completely false. Unfortunately this was a distraction from my original question, which still hasn't actually received a meaningful answer :( – Pancake May 02 '17 at 03:15
  • 1
    Can you provide an example case where " should be checked as necessary -- in HTTP GET action methods that involve model binding". Do you mean for example where you load a viewmodel so that it can be 'GET'ed, and you might have bugs in your load code that make the model invalid? This whole thread just looks like nitpicking without some idea of what your'e getting at. It might all just be down to trying to fit a strongly typed backend (C#) up against a decidedly sloppier one (HTTP) – Nick.Mc May 02 '17 at 03:26
  • 1
    Yes, but now your providing an invalid value for the parameter, so of course its not valid. And what answer are you expecting. You seem to be confused about the whole model binding process –  May 02 '17 at 03:31
  • @StephenMuecke I think we agree that it's not valid. I'm simply illustrating how wrong you are about the relationship between ModelState.IsValid, validation attributes, and exceptions. – Pancake May 02 '17 at 03:49

1 Answers1

3

Readers should be reminded that the question has nothing to do with "updating".

ModelState.IsValid isn't strictly related to validation attributes.

For readers that are looking for a simple answer to a simple question, I've confirmed in the debugger it is "yes" - ModelState.IsValid is set for both GET and POST requests. As such, it should be explicitly checked in both cases, since exceptions will not be thrown when validation errors such as assigning the value "1,000" to a decimal? arise (see my comment above).

Pancake
  • 739
  • 1
  • 5
  • 20
  • Please use the edit link on your question to add additional information. The Post Answer button should be used only for complete answers to the question. - [From Review](/review/low-quality-posts/16003721) – mehrdad khosravi May 02 '17 at 03:58
  • I believe the answer is clearly stated in my post: _"yes" - ModelState.IsValid is set for both GET and POST requests_. – Pancake May 02 '17 at 04:05
  • I'm still curious to a use case where you use GET, _and_ should check for `Model.IsValid`. If your GET is for read-only purposes, then the only way data gets into your model is from the database or from some internal logic. So maybe it makes sense the check for completeness, but consistency should have already been taken care of in the model population step. – Nick.Mc May 02 '17 at 04:09
  • @Nick.McDermaid I agree this would primarily serve as a sanity check in most cases. My question doesn't relate to a specific use case -- I asked because in my reading, server-side validation is portrayed as being specific to POST action methods, not model binding itself -- and I wanted to confirm my suspicion that this was not the case. – Pancake May 02 '17 at 04:20