Home/ Questions/Q 4576670
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T20:14:19+00:00

I have a model class that has an AreDuesPaid property that I want only

  • 0

I have a model class that has an AreDuesPaid property that I want only administrators to be able to see and edit.

The class looks something like this:

public class ClubMember
{
    [ScaffoldColumn(false)]
    public int Id { get; set; }

    [Display(Name = "First Name")]
    [Required(ErrorMessage = "First name is required")]
    public string FirstName { get; set; }

    [Display(Name = "Last Name")]
    [Required(ErrorMessage = "Last name is required")]
    public string LastName { get; set; }

    [Display(Name = "Email Address")]
    [DataType(DataType.EmailAddress)]
    public string EmailAddress { get; set; }

    [DataType(DataType.PhoneNumber)]
    [Display(Name = "Phone Number")]
    public string PhoneNumber { get; set; }

    [Authorize(Roles="Administrator")] // error: this can only be used for methods
    public bool AreDuesPaid{ get; set; }
}

I thought maybe I could use the Authorize attribute, but the compiler tells me this is only for methods.

So, I’m wondering, how can I limit access to a particular property when using DisplayForModel() and EditorForModel() to auto-scaffold views?

Do I need to create entirely separate views and view models or is there an easier way?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here is the solution I ended up going with:

    1. Use view models instead of models. So, in this case, I created a class called ViewModels.ClubMember.EditorModel.
    2. For any properties that are admin-only, place them in a separate class. In this case, ViewModels.ClubMember.AdminEditorModel
    3. Make AdminEditorModel a property on EditorModel.
    4. When requesting an EditorModel, the service that gets the model checks the credentials of the logged-in user. If the user is an admin, the AdminEditorModel property is populated, otherwise, it gets set to null.
    5. In the view, use EditorForModel() to render the EditorModel, then, if the AdminEditorModel is not null, use EditorFor(model => model.AdminEditorModel) to scaffold the remaining properties. (Note: AdminEditorModel will not be automatically scaffolded when doing EditorForModel() because the default object template specifically ignores complex properties.)

    This took some work to implement, but so far, I’m finding it to be a fairly clean solution. It seems to work well with validation, too.

    Update

    Based on some of the comment on ebb’s answer (especially Danny’s), I decided to sure things up a little more by using completely separate pages for admins vs. regular users. Each page gets it’s own view model (EditorModel and AdminEditorModel). This took even more work then my initial solution (I had to add new actions to my controller and add mappings between view models and models, but the end result is yet another level cleaner and definitely more secure.

    • 0