fix: disallow Model::update() without WHERE clause

Author: kenjis

system/Model.php

@@ -386,6 +386,12 @@ protected function doUpdate($id = null, $data = null): bool
             $builder->set($key, $val, $escape[$key] ?? null);
         }
 
+        if ($builder->getCompiledQBWhere() === []) {
+            throw new DatabaseException(
+                'Updates are not allowed unless they contain a "where" or "like" clause.'
+            );
+        }
+
         return $builder->update();
     }
 

tests/system/Models/UpdateModelTest.php

@@ -11,8 +11,10 @@
 
 namespace CodeIgniter\Models;
 
+use CodeIgniter\Database\Exceptions\DatabaseException;
 use CodeIgniter\Database\Exceptions\DataException;
 use CodeIgniter\Entity\Entity;
+use Generator;
 use stdClass;
 use Tests\Support\Models\EventModel;
 use Tests\Support\Models\JobModel;
@@ -378,4 +380,30 @@ public function testUpdateWithSetAndEscape(): void
             'email'   => '1+1',
         ]);
     }
+
+    /**
+     * @dataProvider provideInvalidIds
+     *
+     * @param false|null $id
+     */
+    public function testUpdateThrowDatabaseExceptionWithoutWhereClause($id): void
+    {
+        $this->expectException(DatabaseException::class);
+        $this->expectExceptionMessage(
+            'Updates are not allowed unless they contain a "where" or "like" clause.'
+        );
+
+        // $useSoftDeletes = false
+        $this->createModel(JobModel::class);
+
+        $this->model->update($id, ['name' => 'Foo Bar']);
+    }
+
+    public function provideInvalidIds(): Generator
+    {
+        yield from [
+            [null],
+            [false],
+        ];
+    }
 }