MobileShop Website Part 23 | Manage Product Categories Step-by-Step in ASP.NET Core MVC

 Welcome to Part 23! In this brand-new module, we are kicking off the administrative catalog management system by building out the Product Categories Administration Controller. Step 1 establishes the foundational scaffolding, dependency injection wiring, and security guardrails required to manage store collections safely.

Step 1: The Administrative Categories Scaffolding

This controller forms the secure administrative command center for creating, updating, and removing store categories, completely isolated from customer-facing logic.

C# / Areas/Admin/Controllers/CategoriesController.cs

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

namespace YourProjectNamespace.Areas.Admin.Controllers
{
    [Area("Admin")]
    [Authorize(Roles = "Admin")]
    public class CategoriesController : Controller
    {
        private readonly ApplicationDbContext _context;

        public CategoriesController(ApplicationDbContext context)
        {
            _context = context;
        }
    }
}

Architectural Breakdown

• Area Attribute ([Area("Admin")]): By using Areas, we tell ASP.NET Core to look for this controller inside the Areas/Admin/Controllers folder. This organizes our project by separating customer-facing features from business-management tools.

• Role-Based Security ([Authorize(Roles = "Admin")]): This is your primary defense. It ensures that even if a user knows the URL, they cannot access the category management tools unless their account is explicitly assigned the "Admin" role in your Identity system.

• Constructor Injection: We use the modern Dependency Injection (DI) pattern to bring in our ApplicationDbContext. This allows the controller to communicate with the database without being "hard-coded" to a specific instance, making your code easier to test and maintain.

Step 2: The Organized List Retrieval

This method ensures that when an admin opens the Category Manager, they see a clean, sorted list of all available product classifications.

C# / Areas/Admin/Controllers/CategoriesController.cs

// GET: Admin/Categories
public async Task<IActionResult> Index()
{
    // Eagerly load Products to avoid NullReferenceException in the View count badge
    var categories = await _context.Categories
                                   .Include(c => c.Products)
                                   .OrderBy(c => c.DisplayOrder)
                                   .ToListAsync();

    return View(categories);
}

Core Logic Breakdown

• Asynchronous Execution (async Task<IActionResult>): By using async and await, we ensure the web server doesn't "freeze" while waiting for the database to return the list of categories. This allows the application to handle more concurrent users efficiently.

• Predictable Sorting (OrderBy):

  .OrderBy(c => c.DisplayOrder)

  Instead of showing categories in a random order (usually by ID), we sort them by a DisplayOrder property. This gives the Admin full control over how categories appear in the customer's navigation menus.

• List Materialization (ToListAsync): This command executes the query against the SQL database and converts the results into a C# List. We pass this list directly into the View(), making it available to our HTML frontend.

Step 3: Designing the Category Management UI

This view provides administrators with an aggregate look at store groupings, item counters, status markers, and operational action buttons.

HTML / Views/Categories/Index.cshtml

@model List<Category>
@{
    ViewData["Title"] = "Categories";
}

<div class="d-flex justify-content-between align-items-center mb-4">
    <h3><i class="bi bi-tags"></i> Categories</h3>
    <a asp-action="Create" class="btn btn-primary"><i class="bi bi-plus"></i> Add Category</a>
</div>

<div class="card shadow-sm">
    <div class="table-responsive">
        <table class="table table-hover mb-0">
            <thead class="table-dark">
                <tr>
                    <th>Name</th>
                    <th>Description</th>
                    <th>Display Order</th>
                    <th>Products</th>
                    <th>Status</th>
                    <th>Actions</th>
                </tr>
            </thead>
            <tbody>
                @foreach (var category in Model)
                {
                    <tr>
                        <td><strong>@category.Name</strong></td>
                        <td>@(category.Description ?? "-")</td>
                        <td>@category.DisplayOrder</td>
                        <td><span class="badge bg-info">@category.Products.Count</span></td>
                        <td>
                            @if (category.IsActive)
                            {
                                <span class="badge bg-success">Active</span>
                            }
                            else
                            {
                                <span class="badge bg-secondary">Inactive</span>
                            }
                        </td>
                        <td>
                            <a asp-action="Edit" asp-route-id="@category.Id" class="btn btn-sm btn-outline-primary">
                                <i class="bi bi-pencil"></i>
                            </a>
                            <form asp-action="Delete" method="post" class="d-inline" onsubmit="return confirm('Delete this category?');">
                                <input type="hidden" name="id" value="@category.Id" />
                                <button type="submit" class="btn btn-sm btn-outline-danger">
                                    <i class="bi bi-trash"></i>
                                </button>
                            </form>
                        </td>
                    </tr>
                }
            </tbody>
        </table>
    </div>
</div>

Core UI & Presentation Components Explained

• Strongly-Typed Collection Binding:

  @model List<Category>

  By passing a concrete List<Category> data type down from our controller, our Razor layout benefits from strict compiler type-checking. This allows us to access entity properties smoothly within our presentation markup.

• Clean Null-Coalescing Layout Fallbacks:

  <td>@(category.Description ?? "-")</td>

  If an administrator creates a category without writing a descriptive summary, the database yields a null string value. Using the C# null-coalescing operator (??) ensures our page displays a clean dash symbol (-) instead of a blank structural gap, keeping our table columns perfectly aligned.

• Live Navigation Counter Badges:

  <span class="badge bg-info">@category.Products.Count</span>

  This implementation provides quick insights into our store catalog by accessing the child entity collection count. It displays a clear number bubble revealing exactly how many active items are linked under each categorization block.

• Conditional Bootstrap State Badges: We use standard razor processing logic to check the IsActive state, immediately swapping structural indicator pills:

  • bg-success: Shows a vibrant green Active badge when items are live on the store front.

  • bg-secondary: Shows a neutral gray Inactive badge when collections are hidden from customers.

• Secure Post-Back Actions for Destructive Modifiers: While our item modifications can use simple anchor link tags (asp-action="Edit"), destructive operations must avoid standard GET requests to prevent automated background crawlers from accidentally deleting database rows. The script wraps the trash can icon inside a self-contained POST form containing a safe browser warning prompt:
  onsubmit="return confirm('Delete this category?');"

In Step 4, we build the complete creation pipeline for adding new product classifications. This requires a balanced pair of methods: a GET action to deliver the blank data entry web form, and a corresponding POST action to process, validate, and securely commit that fresh record into our SQL database.

Step 4: Category Creation PRG Pattern

This code block follows the professional Post/Redirect/Get (PRG) design pattern, which protects database operations and prevents accidental double-submissions if a user refreshes their browser.

C# / Areas/Admin/Controllers/CategoriesController.cs

// GET: Admin/Categories/Create
public IActionResult Create()
{
    return View();
}

// POST: Admin/Categories/Create
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Create(Category category)
{
    if (ModelState.IsValid)
    {
        _context.Categories.Add(category);
        await _context.SaveChangesAsync();
        TempData["Success"] = "Category created successfully.";
        return RedirectToAction(nameof(Index));
    }
    return View(category);
}

Core Form Lifecycle Mechanics Explained

• The Form Delivery Engine (GET Method):

  public IActionResult Create() { return View(); }

  This lightweight method handles the initial setup. When an admin clicks "Add Category", this endpoint runs a quick check on user permissions and immediately returns the empty markup view shell to the client browser.

• Cross-Site Request Forgery (CSRF) Shield:

  [ValidateAntiForgeryToken]

  This security attribute works directly with hidden validation key scripts embedded inside our Razor view forms. It verifies that the incoming form submission actually originated from an authenticated admin session on your exact domain, blocking malicious external third-party script attacks from injecting fraudulent records into your system.

• Server-Side Validation Barrier (ModelState.IsValid): Before executing any database storage commands, the application runs an automated evaluation check against the structural model requirements (such as required character length or maximum boundaries). If a user bypasses client-side rules, the application catches the errors here, bypasses the database call, and returns the entity model block directly back to the visual layout form to highlight the corrections needed.

• Asynchronous Database Commit Pipeline:

  _context.Categories.Add(category);

  await _context.SaveChangesAsync();
  

  Once the data checks out, Entity Framework Core tracks the model row entry via .Add(). The system calls await _context.SaveChangesAsync() to save the changes in a non-blocking background task. This allows the server thread to handle other users while waiting for the database to complete the operation.

• State Feedback and Clean Safe Redirection:

  TempData["Success"] = "Category created successfully.";

  return RedirectToAction(nameof(Index));
  

  After a successful save, we store a confirmation string message inside the temporary session storage block (TempData) and issue a clean RedirectToAction bounce back to our index grid. This completes our PRG cycle, clearing out form state variables so subsequent page refreshes do not trigger accidental duplicate entries.

Step 5: Constructing the Entry Form UI

This layout connects individual input fields to model properties, handles conditional error presentation, and sets up high-performance client-side data filtering.

HTML / Views/Categories/Create.cshtml

@model Category
@{
    ViewData["Title"] = "Create Category";
}

<div class="d-flex justify-content-between align-items-center mb-4">
    <h3><i class="bi bi-tags"></i> Create Category</h3>
    <a asp-action="Index" class="btn btn-secondary"><i class="bi bi-arrow-left"></i> Back</a>
</div>

<div class="card shadow-sm">
    <div class="card-body p-4">
        <form asp-action="Create" method="post">
            <div asp-validation-summary="ModelOnly" class="text-danger"></div>

            <div class="mb-3">
                <label asp-for="Name" class="form-label"></label>
                <input asp-for="Name" class="form-control" />
                <span asp-validation-for="Name" class="text-danger"></span>
            </div>

            <div class="mb-3">
                <label asp-for="Description" class="form-label"></label>
                <textarea asp-for="Description" class="form-control" rows="3"></textarea>
                <span asp-validation-for="Description" class="text-danger"></span>
            </div>

            <div class="mb-3">
                <label asp-for="ImageUrl" class="form-label">Image URL</label>
                <input asp-for="ImageUrl" class="form-control" />
                <span asp-validation-for="ImageUrl" class="text-danger"></span>
            </div>

            <div class="mb-3">
                <label asp-for="DisplayOrder" class="form-label">Display Order</label>
                <input asp-for="DisplayOrder" class="form-control" type="number" />
                <span asp-validation-for="DisplayOrder" class="text-danger"></span>
            </div>

            <div class="mb-3 form-check">
                <input asp-for="IsActive" class="form-check-input" />
                <label asp-for="IsActive" class="form-check-label">Active</label>
            </div>

            <button type="submit" class="btn btn-primary"><i class="bi bi-check"></i> Create</button>
        </form>
    </div>
</div>

@section Scripts {
    <partial name="_ValidationScriptsPartial" />
}

Core UI Mechanics & Razor Features Explained

• Strongly-Typed Model Declaration:

  @model Category

  Unlike the index view which required a collection list, the creation layout binds to a single, empty Category object instance. This lets the data engine map field entries directly to database column types.

• ASP.NET Core Tag Helpers (asp-for): Instead of hardcoding standard HTML attributes like name="Name" or id="Name", we use the smart asp-for="Name" helper. It automatically generates the correct id, name, and data-type markers based on the configuration of your C# model class.

• Validation Architecture Components:

  • Validation Summary (asp-validation-summary="ModelOnly"): Sits at the top of the form. It acts as an error hub, displaying top-level business logic failures or database constraint violations that aren't tied to a single input field.

  • Field-Level Error Anchors (asp-validation-for): Positioned right beneath each input field to display specific validation messages (e.g., "The Name field is required") exactly where the error occurred.

• Responsive Control Structures: The form leverages Bootstrap 5 utility classes (mb-3, form-control, form-check-input) to ensure standard rendering across mobile devices and desktops. Text fields automatically scale, numbers receive spinner adjusters, and boolean choices utilize native modern checkboxes.

• Client-Side Validation Script Injection:

  @section Scripts {

      <partial name="_ValidationScriptsPartial" />
  }
  

  By pulling the default _ValidationScriptsPartial into the layout scripts section, you load jQuery Validation libraries in the background. This allows the browser to catch missing fields or incorrect numbers instantly, preventing unnecessary form submissions and saving server bandwidth.

Step 6: Category Modification Pipeline

This step updates your database records safely while introducing crucial error handling mechanisms to counter multi-user data overwrites.

C# / Areas/Admin/Controllers/CategoriesController.cs

// GET: Admin/Categories/Edit/5
public async Task<IActionResult> Edit(int id)
{
    var category = await _context.Categories.FindAsync(id);
    if (category == null)
        return NotFound();

    return View(category);
}

// POST: Admin/Categories/Edit/5
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Edit(int id, Category category)
{
    if (id != category.Id)
        return NotFound();

    if (ModelState.IsValid)
    {
        try
        {
            _context.Update(category);
            await _context.SaveChangesAsync();
            TempData["Success"] = "Category updated successfully.";
            return RedirectToAction(nameof(Index));
        }
        catch (DbUpdateConcurrencyException)
        {
            if (!CategoryExists(category.Id))
                return NotFound();
            
            throw;
        }
    }
    return View(category);
}

// Helper method used to verify existence during concurrency conflicts
private bool CategoryExists(int id)
{
    return _context.Categories.Any(e => e.Id == id);
}

Core Update Mechanics & Safety Measures

• Targeted Record Fetching (GET Method):

  var category = await _context.Categories.FindAsync(id);

  The GET action uses the primary key id passed from the UI table link. By using FindAsync(id), Entity Framework quickly searches the Category table. If a user manually types an ID into the browser URL that does not exist, the app catches it immediately with return NotFound();, preventing null reference page crashes.

• URL Parameter Mismatch Guardrail:

  if (id != category.Id) return NotFound();

  At the very top of the POST method, we compare the route id parameter directly against the internal category.Id properties inside the submitted form data package. This quick security validation ensures malicious actors haven't modified form payloads mid-transit to alter a completely different database row.

• Concurrency Exception Resolution:

  catch (DbUpdateConcurrencyException)

  When multiple managers update the same data simultaneously, conflicts can happen. Wrapping our saving task in a try-catch block for DbUpdateConcurrencyException lets us intercept conflict errors gracefully. It verifies if the target row was deleted by another admin mid-session using a helper check (CategoryExists), throwing the system error safely if a deeper connection failure occurred.

Step 7: Constructing the Edit View UI

This layout allows administrators to modify existing data fields while preserving unedited database properties like unique identifiers and auditing timestamps behind the scenes.

HTML / Views/Categories/Edit.cshtml

@model Category
@{
    ViewData["Title"] = "Edit Category";
}

<div class="d-flex justify-content-between align-items-center mb-4">
    <h3><i class="bi bi-tags"></i> Edit Category</h3>
    <a asp-action="Index" class="btn btn-secondary"><i class="bi bi-arrow-left"></i> Back</a>
</div>

<div class="card shadow-sm">
    <div class="card-body p-4">
        <form asp-action="Edit" method="post">
            <input type="hidden" asp-for="Id" />
            <input type="hidden" asp-for="CreatedAt" />
            <div asp-validation-summary="ModelOnly" class="text-danger"></div>

            <div class="mb-3">
                <label asp-for="Name" class="form-label"></label>
                <input asp-for="Name" class="form-control" />
                <span asp-validation-for="Name" class="text-danger"></span>
            </div>

            <div class="mb-3">
                <label asp-for="Description" class="form-label"></label>
                <textarea asp-for="Description" class="form-control" rows="3"></textarea>
                <span asp-validation-for="Description" class="text-danger"></span>
            </div>

            <div class="mb-3">
                <label asp-for="ImageUrl" class="form-label">Image URL</label>
                <input asp-for="ImageUrl" class="form-control" />
                <span asp-validation-for="ImageUrl" class="text-danger"></span>
            </div>

            <div class="mb-3">
                <label asp-for="DisplayOrder" class="form-label">Display Order</label>
                <input asp-for="DisplayOrder" class="form-control" type="number" />
                <span asp-validation-for="DisplayOrder" class="text-danger"></span>
            </div>

            <div class="mb-3 form-check">
                <input asp-for="IsActive" class="form-check-input" />
                <label asp-for="IsActive" class="form-check-label">Active</label>
            </div>

            <button type="submit" class="btn btn-primary"><i class="bi bi-check"></i> Save Changes</button>
        </form>
    </div>
</div>

@section Scripts {
    <partial name="_ValidationScriptsPartial" />
}

Core UI Mechanics & Razor Features Explained

• Hidden State Preservation Inputs:

  <input type="hidden" asp-for="Id" />

  <input type="hidden" asp-for="CreatedAt" />
  

  These hidden form tags are critical. When the GET method loads the page, Entity Framework populates the Id and CreatedAt properties. Because standard users shouldn't modify these values, we store them as type="hidden". When the form is submitted via POST, these tags send the original values back to the server, ensuring you don't overwrite your primary key or break your creation tracking dates.

• Targeted Route Processing (asp-action="Edit"): The <form asp-action="Edit" method="post"> tag companion matches your HTTP POST handler perfectly. It packages the visible inputs (Name, Description, Display Order) alongside your hidden fields into a unified payload request body.

• Client-Side Validation Injection: Just like the creation page, including the _ValidationScriptsPartial at the bottom activates dynamic validation. If an administrator accidentally deletes the name text, jQuery Validation intercepts the submit event immediately, highlighting the field in red without making a round-trip to the server.

Step 8: Safe Deletion & Data Preservation

This code block handles structural catalog cleanup safely by toggling record visibility instead of executing destructive SQL drop commands.

C# / Areas/Admin/Controllers/CategoriesController.cs

// POST: Admin/Categories/Delete/5
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Delete(int id)
{
    var category = await _context.Categories.FindAsync(id);
    if (category == null)
        return NotFound();

    // Soft delete implementation: Flagging rather than destructive removing
    category.IsActive = false;
    await _context.SaveChangesAsync();

    TempData["Success"] = "Category deleted successfully.";
    return RedirectToAction(nameof(Index));
}

// Helper method used to verify existence during concurrency conflicts
private bool CategoryExists(int id)
{
    return _context.Categories.Any(e => e.Id == id);
}

Core Logic & Soft Delete Mechanics Explained

• The Soft Delete Pattern vs. Hard Delete:

  // Soft delete

  category.IsActive = false;
  

  In real-world e-commerce applications, hard-deleting a category using _context.Categories.Remove(category) can cause cascading failures. If you completely erase a category that still contains active or historical products, your database foreign key constraints will throw severe errors, or worse, your app will crash when loading historical customer receipts. By flipping an IsActive flag to false, the category is safely hidden from the customer storefront while preserving relational database links behind the scenes.

• Optimized State Validation Lookups:

  private bool CategoryExists(int id)

  {
      return _context.Categories.Any(e => e.Id == id);
  }
  

  This internal private helper function uses the highly efficient Entity Framework .Any() clause. Unlike .FirstOrDefault() or .Find(), which pull entire object records into web server memory spaces, .Any() instructs SQL Server to execute a lightweight boolean query returning a fast true/false result. This is used by the Edit concurrency catch block we wrote in Step 6.