fix: Model::insertBatch() to non auto-increment table causes error

CodeIgniter\Database\Exceptions\DataException : There is no primary key defined when trying to make insertBatch.
codeigniter4 · Aug 1, 2023 · a2c4749 · a2c4749
1 parent 6cd704d
commit a2c4749
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 5 deletions.
diff --git a/system/BaseModel.php b/system/BaseModel.php
@@ -847,7 +847,7 @@ public function insertBatch(?array $set = null, ?bool $escape = null, int $batch
 
                 // Must be called first so we don't
                 // strip out created_at values.
-                $row = $this->doProtectFields($row);
+                $row = $this->doProtectFieldsForInsert($row);
 
                 // Set created_at and updated_at with same time
                 $date = $this->setDate();
@@ -1222,11 +1222,11 @@ public function protect(bool $protect = true)
     }
 
     /**
-     * Ensures that only the fields that are allowed to be updated
-     * are in the data array.
+     * Ensures that only the fields that are allowed to be updated are
+     * in the data array.
      *
-     * Used by insert(), insertBatch(), update(), and updateBatch() to protect
-     * against mass assignment vulnerabilities.
+     * Used by update() and updateBatch() to protect against mass assignment
+     * vulnerabilities.
      *
      * @param array $data Data
      *
@@ -1251,6 +1251,22 @@ protected function doProtectFields(array $data): array
         return $data;
     }
 
+    /**
+     * Ensures that only the fields that are allowed to be inserted are in
+     * the data array.
+     *
+     * Used by insert() and insertBatch() to protect against mass assignment
+     * vulnerabilities.
+     *
+     * @param array $data Data
+     *
+     * @throws DataException
+     */
+    protected function doProtectFieldsForInsert(array $data): array
+    {
+        return $this->doProtectFields($data);
+    }
+
     /**
      * Sets the date or current date if null value is passed.
      *

diff --git a/system/Model.php b/system/Model.php
@@ -730,6 +730,41 @@ public function insert($data = null, bool $returnID = true)
         return parent::insert($data, $returnID);
     }
 
+    /**
+     * Ensures that only the fields that are allowed to be inserted are in
+     * the data array.
+     *
+     * Used by insert() and insertBatch() to protect against mass assignment
+     * vulnerabilities.
+     *
+     * @param array $data Data
+     *
+     * @throws DataException
+     */
+    protected function doProtectFieldsForInsert(array $data): array
+    {
+        if (! $this->protectFields) {
+            return $data;
+        }
+
+        if (empty($this->allowedFields)) {
+            throw DataException::forInvalidAllowedFields(static::class);
+        }
+
+        foreach (array_keys($data) as $key) {
+            // Do not remove the non-auto-incrementing primary key data.
+            if ($this->useAutoIncrement === false && $key === $this->primaryKey) {
+                continue;
+            }
+
+            if (! in_array($key, $this->allowedFields, true)) {
+                unset($data[$key]);
+            }
+        }
+
+        return $data;
+    }
+
     /**
      * Updates a single record in the database. If an object is provided,
      * it will attempt to convert it into an array.