Fix blackhole requests with empty select boxes.

When a select box was entirely empty (no option element) secured form submission should not fail. Fixes #3153
cakephp · Aug 27, 2012 · cbb64bd · cbb64bd
1 parent b68a2ed
commit cbb64bd
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 2 deletions.
diff --git a/lib/Cake/Test/Case/View/Helper/FormHelperTest.php b/lib/Cake/Test/Case/View/Helper/FormHelperTest.php
@@ -4256,6 +4256,30 @@ public function testSelectMultipleCheckboxSecurity() {
 		$this->assertRegExp('/"' . $key . '"/', $result);
 	}
 
+/**
+ * When a select box has no options it should not be added to the fields list
+ * as it always fail post validation.
+ *
+ * @return void
+ */
+	public function testSelectNoSecureWithNoOptions() {
+		$this->Form->request['_Token'] = array('key' => 'testkey');
+		$this->assertEquals(array(), $this->Form->fields);
+
+		$this->Form->select(
+			'Model.select',
+			array()
+		);
+		$this->assertEquals(array(), $this->Form->fields);
+
+		$this->Form->select(
+			'Model.select',
+			array(),
+			array('empty' => true)
+		);
+		$this->assertEquals(array('Model.select'), $this->Form->fields);
+	}
+
 /**
  * testInputMultipleCheckboxes method
  *

diff --git a/lib/Cake/View/Helper/FormHelper.php b/lib/Cake/View/Helper/FormHelper.php
@@ -817,7 +817,7 @@ public function label($fieldName = null, $text = null, $options = array()) {
  * - `fieldset` Set to false to disable the fieldset. If a string is supplied it will be used as
  *    the classname for the fieldset element.
  * - `legend` Set to false to disable the legend for the generated input set. Or supply a string
- *	to customize the legend text.
+ *    to customize the legend text.
  *
  * @param array $fields An array of fields to generate inputs for, or null.
  * @param array $blacklist a simple array of fields to not create inputs for.
@@ -1843,7 +1843,12 @@ public function select($fieldName, $options = array(), $attributes = array()) {
 		}
 
 		if (!empty($tag) || isset($template)) {
-			if ((!isset($secure) || $secure == true) && empty($attributes['disabled'])) {
+			$hasOptions = (count($options) > 0 || $showEmpty);
+			if (
+				(!isset($secure) || $secure == true) &&
+				empty($attributes['disabled']) &&
+				$hasOptions
+			) {
 				$this->_secure(true);
 			}
 			$select[] = $this->Html->useTag($tag, $attributes['name'], array_diff_key($attributes, array('name' => '', 'value' => '')));