aspnetcore icon indicating copy to clipboard operation
aspnetcore copied to clipboard

Published 20 hours ago verified publisher icon dotnet

ValidateNever applied to action parameters is not honored

Open pranavkm opened this issue 5 years ago • 11 comments

As part of MVC's support for record types, ValidateNeverAttribute is now allowed to be applied to parameters. However, when applied to action parameters, the attribute has no effect and the parameter will continue to be validated.

pranavkm avatar Jul 23 '20 17:07 pranavkm

Thanks for contacting us. We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

ghost avatar Jul 28 '20 20:07 ghost

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

ghost avatar Aug 28 '20 16:08 ghost

Closing this as we haven't seen any feedback in this issue.

pranavkm avatar Jun 15 '21 18:06 pranavkm

This does seem to not work as described. What kind of feedback do you need?

[HttpPost]
public async Task<IActionResult> ActionMethod([FromBody][NeverValidate] ExternalType actionParameter){
..
}

I'd expect this to work since the documentation talks about parameters. But it seems to just be ignored.

EraYaN avatar Jul 15 '21 14:07 EraYaN

We should consider this issue again. If we decide to not add the support, we need at least change the docs to make it very clear.

brunolins16 avatar Sep 30 '22 23:09 brunolins16

I'd like to take this opportunity to advocate for having this addressed.

I have a scenario in which an endpoint may receive a payload consisting of a large number (50k) of complex messages. The specification requires that messages whose validatation succeeds are processed, while messages whose validation fails are not processed, and a response with a custom format is generated which indicates which messages succeeded or failed along with any validation errors.

The ValidateNeverAttribute is one of the few ways to actually disable model validation. There are other approaches that ignore the results of validation, but these do not disable it. Ignoring the automatic validation is not an option in my case due to the performance implications of performing complex validation twice.

The fact that ValidateNeverAttribute doesn't work for parameters means that in some cases the only way to use it is to apply it to a class. But if the class you wish to disable automatic validation for, is the same one you then need to perform manual validation on later, then you have a problem, since the ValidateNeverAttribute applied to the class also disables manual validation.

This is compounded by the fact that ControllerBase.TryValidateModel will recurse and validate a complete payload object graph, while Validator.TryValidateObject does not. The upshot of all this is that if you have a payload object containing nested objects that you wish to disable automatic validation of, but then perform manual validation of in the controller or service, you have no obvious solution at all. You face the prospect of disabling the builtin validation completely and coding something bespoke.

If ValidateNeverAttribute worked in such a way that you could apply it to an action method parameter and it would disable the automatic validation, but still allow you to run validation of the model manually via ControllerBase.TryValidateModel, then anything you wanted to do regarding validation would be possible and life would be rosy.

Neutrino-Sunset avatar Oct 03 '22 15:10 Neutrino-Sunset

I'm also surprised that the documentation contains content that has never been implemented.

My REST API application accepts a new model object in the POST method, but also a partial object in the PUT method so that only the set properties will be changed. That means I need a model class with Required attributes and an exact copy without them. Or I'll just ditch ASP.NET Core model validation for its uselessness in real life and do it all myself. Looks like that's what I have to do.

The default validation kicks in before the action is even called, so I cannot use any validation attributes that might be dynamic. Which is very often the case.

ygoe avatar Feb 10 '23 13:02 ygoe

This is still not working in .NET 6.0, is this ever going to work? Also ValidationAttribute is ignored on action parameters. At some point (.NET CORE 2.1/2.2), there was options.AllowValidatingTopLevelNodes, which was promising, but then it was ditched again. I wish these basic features would just work.

woutware avatar Sep 22 '23 11:09 woutware

Still not working in .NET 8.0

Floyddotnet avatar Dec 28 '23 20:12 Floyddotnet

I too would be very interested in this working. Have the following endpoint that I can't create a proper input model for due to lack of XML-schemas in producing systems. But it fails validation unless I globally disable max-depth validation.

[HttpPatch]
[Consumes(MediaTypeNames.Application.Xml)]
public async Task<IActionResult> PatchFooAsync([FromBody, ValidateNever] XElement foo)

Smurfa avatar Mar 08 '24 09:03 Smurfa

Is there any workaround? I need to perform internal validation and return custom errors for empty parameter but I still would like Swagger documentation to state that it is required.

Mart-Bogdan avatar Aug 27 '24 18:08 Mart-Bogdan