Merge remote-tracking branch 'upstream/develop' into 4.4

 Conflicts:
	system/Validation/Validation.php

Author: kenjis

system/Test/FeatureTestTrait.php

@@ -167,6 +167,9 @@ public function call(string $method, string $path, ?array $params = null)
         // Make sure filters are reset between tests
         Services::injectMock('filters', Services::filters(null, false));
 
+        // Make sure validation is reset between tests
+        Services::injectMock('validation', Services::validation(null, false));
+
         $response = $this->app
             ->setContext('web')
             ->setRequest($request)

system/Validation/Validation.php

@@ -123,6 +123,9 @@ public function __construct($config, RendererInterface $view)
      * @param array|null  $data    The array of data to validate.
      * @param string|null $group   The predefined group of rules to apply.
      * @param string|null $dbGroup The database group to use.
+     *
+     * @TODO Type ?string for $dbGroup should be removed.
+     *      See https://github.com/codeigniter4/CodeIgniter4/issues/6723
      */
     public function run(?array $data = null, ?string $group = null, ?string $dbGroup = null): bool
     {
@@ -133,7 +136,7 @@ public function run(?array $data = null, ?string $group = null, ?string $dbGroup
             $this->data = $data;
         }
 
-        // i.e. is_unique
+        // `DBGroup` is a reserved name. For is_unique and is_not_unique
         $data['DBGroup'] = $dbGroup;
 
         $this->loadRuleSets();
@@ -206,18 +209,28 @@ public function run(?array $data = null, ?string $group = null, ?string $dbGroup
     }
 
     /**
-     * Runs the validation process, returning true or false
-     * determining whether validation was successful or not.
+     * Runs the validation process, returning true or false determining whether
+     * validation was successful or not.
      *
-     * @param array|bool|float|int|object|string|null $value  The data to validate.
-     * @param array|string                            $rule   The validation rules.
-     * @param string[]                                $errors The custom error message.
+     * @param array|bool|float|int|object|string|null $value   The data to validate.
+     * @param array|string                            $rules   The validation rules.
+     * @param string[]                                $errors  The custom error message.
+     * @param string|null                             $dbGroup The database group to use.
      */
-    public function check($value, $rule, array $errors = []): bool
+    public function check($value, $rules, array $errors = [], $dbGroup = null): bool
     {
         $this->reset();
 
-        return $this->setRule('check', null, $rule, $errors)->run(['check' => $value]);
+        return $this->setRule(
+            'check',
+            null,
+            $rules,
+            $errors
+        )->run(
+            ['check' => $value],
+            null,
+            $dbGroup
+        );
     }
 
     /**
@@ -711,6 +724,7 @@ protected function fillPlaceholders(array $rules, array $data): array
 
                     foreach ($placeholderFields as $field) {
                         $validator ??= Services::validation(null, false);
+                        assert($validator instanceof Validation);
 
                         $placeholderRules = $rules[$field]['rules'] ?? null;
 
@@ -731,7 +745,8 @@ protected function fillPlaceholders(array $rules, array $data): array
                         }
 
                         // Validate the placeholder field
-                        if (! $validator->check($data[$field], implode('|', $placeholderRules))) {
+                        $dbGroup = $data['DBGroup'] ?? null;
+                        if (! $validator->check($data[$field], $placeholderRules, [], $dbGroup)) {
                             // if fails, do nothing
                             continue;
                         }

system/Validation/ValidationInterface.php

@@ -32,12 +32,14 @@ public function run(?array $data = null, ?string $group = null, ?string $dbGroup
      * Check; runs the validation process, returning true or false
      * determining whether or not validation was successful.
      *
-     * @param array|bool|float|int|object|string|null $value  Value to validate.
+     * @param array|bool|float|int|object|string|null $value   Value to validate.
+     * @param array|string                            $rules
      * @param string[]                                $errors
+     * @param string|null                             $dbGroup The database group to use.
      *
      * @return bool True if valid, else false.
      */
-    public function check($value, string $rule, array $errors = []): bool;
+    public function check($value, $rules, array $errors = [], $dbGroup = null): bool;
 
     /**
      * Takes a Request object and grabs the input data to use from its

tests/system/Test/FeatureTestTraitTest.php

@@ -120,6 +120,36 @@ public function testCallPostWithBody()
         $response->assertSee('Hello Mars!');
     }
 
+    public function testCallValidationTwice()
+    {
+        $this->withRoutes([
+            [
+                'post',
+                'section/create',
+                static function () {
+                    $validation = Services::validation();
+                    $validation->setRule('title', 'title', 'required|min_length[3]');
+
+                    $post = Services::request()->getPost();
+
+                    if ($validation->run($post)) {
+                        return 'Okay';
+                    }
+
+                    return 'Invalid';
+                },
+            ],
+        ]);
+
+        $response = $this->post('section/create', ['foo' => 'Mars']);
+
+        $response->assertSee('Invalid');
+
+        $response = $this->post('section/create', ['title' => 'Section Title']);
+
+        $response->assertSee('Okay');
+    }
+
     public function testCallPut()
     {
         $this->withRoutes([

tests/system/Validation/StrictRules/DatabaseRelatedRulesTest.php

@@ -16,6 +16,7 @@
 use CodeIgniter\Validation\Validation;
 use Config\Database;
 use Config\Services;
+use InvalidArgumentException;
 use Tests\Support\Validation\TestRules;
 
 /**
@@ -82,7 +83,17 @@ public function testIsUniqueTrue(): void
         $this->assertTrue($this->validation->run($data));
     }
 
-    public function testIsUniqueIgnoresParams(): void
+    public function testIsUniqueWithInvalidDBGroup(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('invalidGroup is not a valid database connection group');
+
+        $this->validation->setRules(['email' => 'is_unique[user.email]']);
+        $data = ['email' => '[email protected]'];
+        $this->assertTrue($this->validation->run($data, null, 'invalidGroup'));
+    }
+
+    public function testIsUniqueWithIgnoreValue(): void
     {
         $db = Database::connect();
         $db
@@ -102,7 +113,7 @@ public function testIsUniqueIgnoresParams(): void
         $this->assertTrue($this->validation->run($data));
     }
 
-    public function testIsUniqueIgnoresParamsPlaceholders(): void
+    public function testIsUniqueWithIgnoreValuePlaceholder(): void
     {
         $this->hasInDatabase('user', [
             'name'    => 'Derek',

user_guide_src/source/changelogs/v4.3.5.rst

@@ -21,11 +21,11 @@ SECURITY
 Changes
 *******
 
-- **make:cell** When creating a new cell, the controller would always have the ``Cell`` suffixed to the class name.
-    For the view file, the final ``_cell`` is always removed.
-- **Cells** For compatibility with previous versions, view filenames ending with ``_cell`` can still be
-    located by the ``Cell`` as long as auto-detection of view file is enabled (via setting the ``$view`` property
-    to an empty string).
+- **make:cell command:** When creating a new cell, the controller would always have the ``Cell`` suffixed to the class name.
+  For the view file, the final ``_cell`` is always removed.
+- **View Cells:** For compatibility with previous versions, view filenames ending with ``_cell`` can still be
+  located by the ``Cell`` as long as auto-detection of view file is enabled (via setting the ``$view`` property
+  to an empty string).
 
 Deprecations
 ************
@@ -37,8 +37,8 @@ Bugs Fixed
 **********
 
 - **Validation:** Fixed a bug where a closure used in combination with ``permit_empty`` or ``if_exist`` rules was causing an error.
-- **make:cell** Fixed generating view files as classes.
-- **make:cell** Fixed treatment of single word class input for case-insensitive OS.
+- **make:cell command:** Fixed generating view files as classes.
+- **make:cell command:** Fixed treatment of single word class input for case-insensitive OS.
 
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_

user_guide_src/source/changelogs/v4.3.6.rst

@@ -12,6 +12,28 @@ Release Date: Unreleased
 BREAKING
 ********
 
+Interface Changes
+=================
+
+.. note:: As long as you have not extended the relevant CodeIgniter core classes
+    or implemented these interfaces, all these changes are backward compatible
+    and require no intervention.
+
+ValidationInterface::check()
+----------------------------
+
+- The second parameter has changed from ``string $rule`` to ``$rules``.
+- The optional fourth parameter ``$dbGroup = null`` has been added.
+
+Method Signature Changes
+========================
+
+Validation::check()
+-------------------
+
+- The second parameter has changed from ``string $rule`` to ``$rules``.
+- The optional fourth parameter ``$dbGroup = null`` has been added.
+
 Message Changes
 ***************
 
@@ -24,6 +46,11 @@ Deprecations
 Bugs Fixed
 **********
 
+- **Validation:** Fixed a bug that ``$DBGroup`` is ignored when checking
+  the value of a placeholder.
+- **Validation:** Fixed a bug that ``check()`` cannot specify non-default
+  database group.
+
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_
 for a complete list of bugs fixed.

user_guide_src/source/installation/upgrade_436.rst

@@ -21,6 +21,9 @@ Breaking Changes
 Breaking Enhancements
 *********************
 
+- The method signatures of ``ValidationInterface::check()`` and ``Validation::check()``
+  have been changed. If you implement or extend them, update the signatures.
+
 Project Files
 *************
 

user_guide_src/source/libraries/validation.rst

@@ -753,14 +753,23 @@ Your new custom rule could now be used just like any other rule:
 Allowing Parameters
 -------------------
 
-If your method needs to work with parameters, the function will need a minimum of three parameters: the value to validate,
-the parameter string, and an array with all of the data that was submitted the form. The ``$data`` array is especially handy
+If your method needs to work with parameters, the function will need a minimum of three parameters:
+
+1. the value to validate (``$value``)
+2. the parameter string (``$params``)
+3. an array with all of the data that was submitted the form (``$data``)
+4. (optional) a custom error string (``&$error``), just as described above.
+
+.. warning:: The field values in ``$data`` are unvalidated (or may be invalid).
+    Using unvalidated input data is a source of vulnerability. You must
+    perform the necessary validation within your custom rules before using the
+    data in ``$data``.
+
+The ``$data`` array is especially handy
 for rules like ``required_with`` that needs to check the value of another submitted field to base its result on:
 
 .. literalinclude:: validation/037.php
 
-Custom errors can be returned as the fourth parameter ``&$error``, just as described above.
-
 .. _validation-using-closure-rule:
 
 Using Closure Rule