(C# ASP.NET Core) Preventing Over-Posting of a Collection in a WebApi

If an API has to return a collection of records, and if we do not want entire objects transmitted, then we can use a Data Transfer Object to return a small subset of properties, just-the-required subset. For a primer on over-posting, please refer the previous tutorial "Over-Posting in WebApi and a Solution with Data Transfer Object".
(Rev. 19-Mar-2024)

Categories | About |     |  

Parveen,

Preparation of a DTO

Please refer the previous tutorial where we have added a DTO class for the doctor as you see here.

The actual entity is a Doctor. But it contains a property called EMail that we do not want transmitted.

To prevent over-posting, we have added a DTO class that excludes that property. 

// Models -> Doctor.cs 
// model class 
public class Doctor
{

  [Key]
  [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
  public int Id { get; set; }

  // name prop 
  public string Name { get; set; } = default!;

  public int Fees { get; set; }

  // field to be hidden from web-api 
  public String? EMail { get; set; } = default!;

}

// DTO class for the doctor 
public record DoctorDTO
{

  [Key]
  [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
  public int Id { get; init; }

  // name prop 
  public string Name { get; init; } = default!;

  public int Fees { get; init; }

  // conversion constructor 
  public DoctorDTO(Doctor doctor) =>
    (Id, Name, Fees) = (doctor.Id, doctor.Name, doctor.Fees);

}

Video Explanation (see it happen!)

Please watch the following youtube video:

Modifying our WebApi

Open the project that we are completing for the past few tutorials. Locate the Program.cs file and open it. Scroll to the part that you are seeing here.

Take the case of this web api that returns a collection of Doctor objects. 

app.MapGet("/doctor/all", async (MyApiContext ctx) =>
{

  return await ctx.Doctors.ToListAsync();

});

But we do not want the EMail property to be sent as a part of this collection - simply because it is irrelevant, or perhaps because it is not required, and perhaps because of security.

The solution is to use a projection to return a collection of DTO objects like so: ctx.Doctors.Select(x => new DoctorDTO(x)) 

app.MapGet("/doctor/all", async (MyApiContext ctx) =>
{

  return await ctx.Doctors.Select(x => new DoctorDTO(x)).ToListAsync();

}

);

If you are following our course on ASPNET Core then you can obtain the project from the attached downloads.

Run the Project

Run the project (see the linked video) and make a request to the web api. We verify that we receive the collection, but the EMail property is excluded. Thanks!


This Blog Post/Article "(C# ASP.NET Core) Preventing Over-Posting of a Collection in a WebApi" by Parveen is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.