I’ve noticed that when using CCompareValidator, model attribute specified in compareAttribute param is not automatically added to safe list and it is not used in massive assignment.
So, when for example password change form has this simple validation rules:
return array
(
array('password_current', 'authenticate'), //Current password needs to be authenticated.
array('password_new_one', 'compare', 'compareAttribute'=>'password_new_two', 'skipOnError'=>true),
);
Such form will not work, because password_new_two will be empty. To avoid this, one must add:
array('password_new_two', 'safe')
Just to feed my curiosity - is this OK? Should it be done this way? For me personally this is a little bit nonsense. I thought that CCompareValidator will add both compared values to safe list and for massive assignment.