Now Reading: Power Pages: Adding server-side extra validation using C# Plugins
-
01
Power Pages: Adding server-side extra validation using C# Plugins
When developing Power Pages sites, a common practice is to use JavaScript to add custom behaviours to forms or do some validation in the front-end. Which is great and simple to do.
However, we cannot rely on those for data integrity and security if this is required.
For example, if you add text field format validations using JavaScript, or limit the choices of a choice field (for example, for a Status field if you want external users to create records with status ‘Pending’ and ‘Submitted’ only and never use the values ‘Approved’, ‘Rejected’ or ‘Cancelled’), if there are no server side restrictions in place, those can be easily bypassed by someone using the browser DevTools or calling the API directly.
Dataverse Plugins to help
To prevent those hacks or bypasses from happening, we can use Dataverse plugins and the help of the IPluginExecutionContext2 interface and the property IsPortalsClientCall.
We need to register the plugin steps in the “Pre-Operation” stage.
In the Plugin, you can use C# logic to validate the calls as below. If the choice value is not accepted, you can raise an exception which prevents the operation (ignore the simplicity of the code, I just want to illustrate the concept and how it works):
using System;
using Microsoft.Xrm.Sdk;
namespace PowerPagesValidationPluginSample
{
public class ValidateSupportrequestUpdates : IPlugin
{
public void Execute(IServiceProvider serviceProvider)
{
IPluginExecutionContext2 context = (IPluginExecutionContext2)serviceProvider.GetService(typeof(IPluginExecutionContext2));
if (context.IsPortalsClientCall)
{
Entity target = (Entity)context.InputParameters["Target"];
var requestStatus = target.GetAttributeValue<OptionSetValue>("pnp_requeststatus")?.Value;
//values for draft and submitted in my case
if (requestStatus != 893780000 && requestStatus != 893780001)
{
throw new InvalidPluginExecutionException(OperationStatus.Failed, 1, "You can only create records with Draft or Submitted Status");
}
}
}
}
}
For example, if you run the below Web API call (which is invalid):
You would get an exception thrown, and the record is not created:
If the client-side calls do not throw any exception on the plugin, they are successfully executed.
You can go beyond simple logic as above, but think of it as a pattern:
- Run the code only if it’s a Power Pages call
- Get field values, check what would be accepted via a request from Power Pages
- If something does not match what would be allowed, throw the exception
- If no exception is thrown, the action executes as normal
Hope this helps you start understanding how to make your JavaScript customisations more secure in Power Pages.
One recommendation I would add is, use this approach with care, as the overuse of plugins and heavy operations on plugins can affect performance.
Only when you cannot enforce server side rules using Power Pages out-of-the-box features (column permissions, table permissions, etc) you should write custom code for that.
References
IPluginExecutionContext2 interface – Microsoft Learn
Write a plug-in – Microsoft Learn
The post Power Pages: Adding server-side extra validation using C# Plugins appeared first on michelcarlo.
Original Post https://michelcarlo.com/2025/07/14/power-pages-adding-server-side-extra-validation-using-c-plugins/
