Some doubt with safeAttributes

Hello guys,

Here is my safeAttributes method

 	public function safeAttributes()


	    return array(

	    	'type, description, bizrule, data',




In my create action I do:

		$model->scenario = 'create';





However I got the validate error:

Please fix the following input errors:

    * Type cannot be blank.

Type is massively assigned…

What am I missing ?

Please show the validators applied to type.

	public function rules()


		return array(



			array('name, type', 'required'),

			array('type', 'integerOnly'=>true),



array('type', 'integerOnly'=>true),

should be

array('type', 'numerical', 'integerOnly'=>true),

Thanks for the advice pestaa.

But I keep geting the error:

Please fix the following input errors:

    * Type cannot be blank.

Type is a dropDrownList, value is not blank.

Type is massively assigned.

In your safeAttributes() you specify that in scenario ‘create’ only ‘name’ can be massively assigned. So type will be empty.

Ok, but if I am supposed to add type in create scenario why do I have the possibility to configure massively assigned attributes outside scenario?

You can see them like “default” safe attributes that can be assigned if you don’t set any scenario.

I don’t agree. Fields that are marked as safe without scenario will be massively assigned in all scenarios. Updated below.


Scenario is always set. By default it can be ‘insert’ or ‘update’ depending on row existence in database.

That’s not right. From the API docs:


[b] // these attributes can be massively assigned in any scenario

// that is not explicitly specified below

[/b] ‘attr1, attr2, …’,

// these attributes can be massively assigned only in scenario 1

‘scenario1’ => ‘attr2, attr3, …’,

// these attributes can be massively assigned only in scenario 2

‘scenario2’ => ‘attr1, attr3, …’,


In my opinion massively assignment should be valid for all scenarios.

Mike, you are right. Thank you for correcting me, I voted your post up.

Thanks, pestaa.

Maybe there’s a little misunderstanding. You can do massive assignment in every scenario. And with safeAttributes() you define which attributes are safe in which scenario. If you always have the same safe attributes, no matter wich scenario, then simply don’t use any scenario in safeAttributes:

public function safeAttributes() {

     return array('type','description','bizrule','data');


A more thorough example:

Let’s say you have a AR User with attributes id, username, firstname, lastname, password, remarks. You want to use it in three different scenarios:

  1. Registration

Here username, firstname lastname and password should be massively assigned. But not id, as bad users could spoil the id on submission.

  1. Login

Only username and password shall be safe here.

  1. Admin/User management

All attributes except id should be safe in this scenario.

The according safeAttributes() could look like this:

public function safeAttributes() {

     return array(

         // the "default" safe attributes, valid if no scenario is specified. 

         // in our case this could be used for admin/user management.

        // Simply don't specify any scenario when creating the model object.



         'registration' => 'username,firstname,lastname,password',


         'login' => 'username,password',



Hey Mike, I understand your point of view :) I think its right. Thank you!