To understand what we did, let's start with where we were a couple days ago.When your Contact object is being model-bound, we will automatically run validation. NET MVC 1.0 as well, though we didn't have a pluggable validation system so most people weren't even aware that we had any validation support.
The prevailing feature of Input Validation is that we would only run the validators for properties for which there were form inputs.
Let's pretend all three of the properties of our Contact model (besides ID) now have [Required] attributes on them.
With the form in the view above, if you failed to provide a value for any of those properties, you could get a validation error telling you that the field was required. Is Valid is how we know if there were any model binding or validation errors.
After extensive discussion among the team, we've decided to make a last-minute change to ASP.
NET MVC 2 in regards to way that validation is handled.
The conversation was kick-started by my blog post about the Required attribute and what it does (and does not) mean.
More importantly, I want to re-address the security issues I brought up in the last post, now in the context of Model Validation, to understand whether this change makes your applications more secure.
The two major categories of these are: (1) data which is not compatible with the destination type (f.e., submitting "dog" for an integer), and (2) not submitting any data for a value which always needs data (f.e., a non-nullable value type like integer).
These kinds of errors are handled by the model-binding system before validation even happens.