In my last two posts [1, 2] I explained how to define scenario-based validation rules and safe attributes. Something I have noted is that whenever I end up specifying an attribute as “required” in the validation rules(), I also always end up specifying it as “safe” in safeAttributes() under the same scenario. This got me thinking – is it possible that every “required” attribute must also be “safe” on a given scenario? The answer to that seems to be yes. So I thought, why be redundant? So I went about the task of teaching Yii that all “required” attributes are also “safe”. It seems the most elegant way to do this is by extending getSafeAttributeNames() in your model. So that’s what I did. Now, I’ll share with you. Just drop this code in any model that you would like to have this behavior.

<?php
/*
* I extended this method so that yii will "automagically" understand that
* 'required' attributes (in the given scenario) are also 'safe'.  This way,
* when defining 'safe' attributes in the safeAttributes() method, you can
* neglect to define attributes as safe that you have already defined at "required"
* in your rules() method.  This basically saves typing (and in some cases stupid
* mistakes), which I am always a fan of.  This method could be moved to another model
* from which other models like this could inherit from if you wish.
* 
* You should NOT call this method directly but it is used by Yii internally
*/
public function getSafeAttributeNames($scenario='') {
	$safe = parent::getSafeAttributeNames($scenario);
 
	foreach ($this->validators as $validator) {
		if ((get_class($validator) != 'CRequiredValidator') || !$validator->applyTo($scenario)) continue;
		$safe = array_merge($safe, $validator->attributes);
	}
	return array_unique($safe);
}

Enjoy if you wish and give feedback.

One thing to worry about is speed however. Every time this method is called, it loops through all the validators. If you have a lot of validation rules this could be unwanted. On the other hand, yii only checks the safe attributes on CModel::setAttributes(), which is generally only called on requests with submitted POST data (e.g. forms, and users don’t often expect those pages to be lightning fast). Anyways, I’m making this code snipped sound slower than it actually is. It might be interesting to check how many times this method is called on a given request.

If you read my last article on validation scenarios then you may understand why in different scenarios you may need different attributes to be required. However you may have noticed a missing link – what if in different scenarios you also need different attributes to be considered as “safe”?

If you have no idea about what I am taking about then you probably don’t know that in your model you can specify which attributes are “safe” to massively assign to a model via CModel::setAttributes().

<?php
public function safeAttributes() {
	return array(
		//these attributes are safe to massively assign
		'attribute1, attribute2',
	);
}
?>

By default, all columns in the table are considered safe except the primary key column (attributes defined in the model are not considered safe by default)

The reason you might not want all attributes to be safe is if for instance you have fields which determine things such as access level. For instance what if you had a User model with a `is_admin` field. If you let `is_admin` be defined as safe, you have a security hole, as someone can take a tool such as urlparams and easily set himself as an admin.

Now you may actually want “is_admin” to be defined as safe in certain scenarios, such as an user administrative page. Thus, as of Yii 1.0.2, you can define scenarios through safeAttributes() which was the initial reason for writing this article.

I will simply use a code example taken from the Yii Class Reference this time.

<?php
public function safeAttributes() {
	return array(
	   // these attributes can be massively assigned in any scenario
	   // that is not explicitly specified below
	   'attr1, attr2, ...',
 
	   // these attributes can be massively assigned only in scenario 1
	   'scenario1' => 'attr2, attr3, ...', //Eg in this scenario attr1 is NOT safe
 
	   // these attributes can be massively assigned only in scenario 2
	   'scenario2' => 'attr1, attr3, ...',
	);
}

Now you may set the scenario to use via CModel::setAttributes()

<?php
$user->setAttributes(array <data>, string <scenario name>);
 
//Example:
$user->setAttributes($_POST['User'], 'update');

As of Yii 1.0.2 you may now define validation scenarios. This is very useful if for instance you have multiple places in your application that you validate a model, but in each instance you may want different validation rules. For instance, perhaps in your user registration form you want to have the “username”, “email” and “password” fields to be required, while on your “user recovery” page, you only want the “email” field to be required. You may see a problem here. If you set all the fields to be required, then your user recovery page won’t work, as it does not allow a user to supply neither a password nor a username.

The perfect solution to this are validation scenarios. You can attach a validation scenario to a validation rule through the ‘on’ property. You may already know you can set the ‘on’ property to either ‘insert’ or ‘update’, which will automatically cause the rule to only be used on the corresponding type of save. However sometimes these two options are not enough. So now with this new enhancement, you may set it to any value you want. Let me show an example:

<?php
//in user model
public function rules() {
	return array(
		//Set required fields
 		//Applies to 'register' scenario
 		//Note 'on' property
		array('username, password, password_repeat, email', 'required', 'on' => 'register'),
 
		//Applies to 'recover' scenario
		array('email', 'required', 'on' => 'recover'),
 
		//Applies to all scenarios
		array('username, password', 'length', 'max'=>35, 'min'=>3),
 
		//This rule checks if the username is unique in the database in
		//the 'register' scenario (we don't want it to check for uniqueness
		//on the login page for instance)
		array('username', 'unique', 'on' => 'register'),
 
		//This rule applies to 'register' and 'update' scenarios
		//Compares 'password' field to 'password_repeat' to make sure they are the same
		array('password', 'compare', 'on' => 'register, update'),
	);
}

With this setup Yii will be able to tell which fields are required in which scenarios. As a bonus I threw some other rules for example. Reading the comments will give you an understanding of that. You may also note from the ‘compare’ rule that you may define a rule to be used on multiple scenarios by separating them with commas.

Now when you wish to run validation under a specific scenario you must define it in when calling CModel::validate(), as so

<?php
$user->validate('<scenarioName>'); //runs validation under the given scenario
 
//example:
if ($user->validate('register')) {
	$user->save(false);
}

So the above example will validate the user under the ‘register’ scenario.

Leave a comment if I have left any unanswered questions on this enhancement