Merge branch 'codeigniter4:develop' into patch-1

Author: iamsyh

src/Authorization/Traits/Authorizable.php

@@ -6,6 +6,7 @@
 
 use CodeIgniter\I18n\Time;
 use CodeIgniter\Shield\Authorization\AuthorizationException;
+use CodeIgniter\Shield\Exceptions\LogicException;
 use CodeIgniter\Shield\Models\GroupModel;
 use CodeIgniter\Shield\Models\PermissionModel;
 
@@ -226,9 +227,18 @@ public function hasPermission(string $permission): bool
     /**
      * Checks user permissions and their group permissions
      * to see if the user has a specific permission.
+     *
+     * @param string $permission string consisting of a scope and action, like `users.create`
      */
     public function can(string $permission): bool
     {
+        if (strpos($permission, '.') === false) {
+            throw new LogicException(
+                'A permission must be a string consisting of a scope and action, like `users.create`.'
+                . ' Invalid permission: ' . $permission
+            );
+        }
+
         $this->populatePermissions();
 
         $permission = strtolower($permission);

src/Controllers/RegisterController.php

@@ -76,12 +76,8 @@ public function registerAction(): RedirectResponse
         }
 
         // Save the user
-        $allowedPostFields = array_merge(
-            setting('Auth.validFields'),
-            setting('Auth.personalFields'),
-            array_keys($rules),
-        );
-        $user = $this->getUserEntity();
+        $allowedPostFields = array_keys($rules);
+        $user              = $this->getUserEntity();
         $user->fill($this->request->getPost($allowedPostFields));
 
         // Workaround for email only registration/login

src/Models/UserModel.php

@@ -253,6 +253,11 @@ public function update($id = null, $data = null): bool
             /** @throws DataException */
             $result = parent::update($id, $data);
         } catch (DataException $e) {
+            // When $data is an array.
+            if ($this->tempUser === null) {
+                throw $e;
+            }
+
             $messages = [
                 lang('Database.emptyDataset', ['update']),
             ];

tests/Authorization/AuthorizableTest.php

@@ -6,6 +6,7 @@
 
 use CodeIgniter\I18n\Time;
 use CodeIgniter\Shield\Authorization\AuthorizationException;
+use CodeIgniter\Shield\Exceptions\LogicException;
 use CodeIgniter\Shield\Models\UserModel;
 use CodeIgniter\Test\DatabaseTestTrait;
 use Locale;
@@ -299,6 +300,16 @@ public function testCanCascadesToGroupsWithWildcards(): void
         $this->assertTrue($this->user->can('admin.access'));
     }
 
+    public function testCanGetsInvalidPermission(): void
+    {
+        $this->expectException(LogicException::class);
+        $this->expectExceptionMessage('Invalid permission: developer');
+
+        $this->user->addGroup('superadmin');
+
+        $this->assertTrue($this->user->can('developer'));
+    }
+
     /**
      * @see https://github.com/codeigniter4/shield/pull/238
      */

tests/Unit/UserModelTest.php

@@ -4,6 +4,7 @@
 
 namespace Tests\Unit;
 
+use CodeIgniter\Database\Exceptions\DataException;
 use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Exceptions\LogicException;
 use CodeIgniter\Shield\Models\UserModel;
@@ -239,4 +240,18 @@ public function testUpdateUserObjectWithoutUserDataToUpdate(): void
             'secret'  => 'bar@bar.com',
         ]);
     }
+
+    /**
+     * @see https://github.com/codeigniter4/shield/issues/471
+     */
+    public function testSaveArrayNoDataToUpdate(): void
+    {
+        $this->expectException(DataException::class);
+        $this->expectExceptionMessage('There is no data to update.');
+
+        $users = $this->createUserModel();
+        $user  = fake(UserModel::class);
+
+        $users->save(['id' => $user->id]);
+    }
 }