Merge pull request #4195 from sfadschm/fix-model-empty-check

Add additional empty checks after field protection for update/insert.

Author: michalsn

system/BaseModel.php

@@ -728,6 +728,13 @@ public function insert($data = null, bool $returnID = true)
 		// strip out created_at values.
 		$data = $this->doProtectFields($data);
 
+		// doProtectFields() can further remove elements from
+		// $data so we need to check for empty dataset again
+		if (empty($data))
+		{
+			throw DataException::forEmptyDataset('insert');
+		}
+
 		// Set created_at and updated_at with same time
 		$date = $this->setDate();
 
@@ -866,6 +873,13 @@ public function update($id = null, $data = null): bool
 		// strip out updated_at values.
 		$data = $this->doProtectFields($data);
 
+		// doProtectFields() can further remove elements from
+		// $data so we need to check for empty dataset again
+		if (empty($data))
+		{
+			throw DataException::forEmptyDataset('update');
+		}
+
 		if ($this->useTimestamps && $this->updatedField && ! array_key_exists($this->updatedField, $data))
 		{
 			$data[$this->updatedField] = $this->setDate();

tests/system/Models/InsertModelTest.php

@@ -178,7 +178,7 @@ public function testInsertBatchNewEntityWithDateTime(): void
 		$this->assertSame(2, $this->model->insertBatch([$entity, $entity]));
 	}
 
-	public function testInsertArrayWithDataException(): void
+	public function testInsertArrayWithNoDataException(): void
 	{
 		$this->expectException(DataException::class);
 		$this->expectExceptionMessage('There is no data to insert.');
@@ -193,6 +193,45 @@ public function testInsertObjectWithNoDataException(): void
 		$this->createModel(UserModel::class)->insert($data);
 	}
 
+	public function testInsertArrayWithNoDataExceptionNoAllowedData(): void
+	{
+		$this->expectException(DataException::class);
+		$this->expectExceptionMessage('There is no data to insert.');
+		$this->createModel(UserModel::class)->insert(['thisKeyIsNotAllowed' => 'Bar']);
+	}
+
+	public function testInsertEntityWithNoDataExceptionNoAllowedData(): void
+	{
+		$this->createModel(UserModel::class);
+
+		$entity = new class extends Entity
+		{
+			protected $id;
+			protected $name;
+			protected $email;
+			protected $country;
+			protected $deleted;
+			protected $created_at;
+			protected $updated_at;
+
+			protected $_options = [
+				'datamap' => [],
+				'dates'   => [
+					'created_at',
+					'updated_at',
+					'deleted_at',
+				],
+				'casts'   => [],
+			];
+		};
+
+		$entity->fill(['thisKeyIsNotAllowed' => 'Bar']);
+
+		$this->expectException(DataException::class);
+		$this->expectExceptionMessage('There is no data to insert.');
+		$this->model->insert($entity);
+	}
+
 	public function testUseAutoIncrementSetToFalseInsertException(): void
 	{
 		$this->expectException(DataException::class);

tests/system/Models/UpdateModelTest.php

@@ -275,6 +275,65 @@ public function testUpdateObjectWithDataException(): void
 		$this->model->update($id, $data);
 	}
 
+	public function testUpdateArrayWithDataExceptionNoAllowedFields(): void
+	{
+		$this->createModel(EventModel::class);
+
+		$data = [
+			'name'    => 'Foo',
+			'email'   => 'foo@example.com',
+			'country' => 'US',
+			'deleted' => 0,
+		];
+
+		$id = $this->model->insert($data);
+
+		$this->expectException(DataException::class);
+		$this->expectExceptionMessage('There is no data to update.');
+		$this->model->update($id, ['thisKeyIsNotAllowed' => 'Bar']);
+	}
+
+	public function testUpdateWithEntityNoAllowedFields(): void
+	{
+		$this->createModel(UserModel::class);
+
+		$entity = new class extends Entity
+		{
+			protected $id;
+			protected $name;
+			protected $email;
+			protected $country;
+			protected $deleted;
+			protected $created_at;
+			protected $updated_at;
+
+			protected $_options = [
+				'datamap' => [],
+				'dates'   => [
+					'created_at',
+					'updated_at',
+					'deleted_at',
+				],
+				'casts'   => [],
+			];
+		};
+
+		$entity->id      = 1;
+		$entity->name    = 'Jones Martin';
+		$entity->country = 'India';
+		$entity->deleted = 0;
+
+		$id = $this->model->insert($entity);
+
+		$entity->syncOriginal();
+
+		$entity->fill(['thisKeyIsNotAllowed' => 'Bar']);
+
+		$this->expectException(DataException::class);
+		$this->expectExceptionMessage('There is no data to update.');
+		$this->model->update($id, $entity);
+	}
+
 	public function testUseAutoIncrementSetToFalseUpdate(): void
 	{
 		$key = 'key';
@@ -301,9 +360,9 @@ public function testUpdateWithSetAndEscape(): void
 		$this->assertTrue($this->model->set('country', '2+2', false)->set('email', '1+1')->update(1, $userData));
 
 		$this->seeInDatabase('user', [
-			'name' => 'Scott',
+			'name'    => 'Scott',
 			'country' => '4',
-			'email' => '1+1',
+			'email'   => '1+1',
 		]);
 	}
 }