Unsafe Attributes, Logged But No Errors

Hi all,

I have an attribute that I want to be unsafe, so I made a rule declaring it as ‘unsafe’. When I run code that tries to change it, the attribute is NOT changed, however, there is also no error attached. I looked my Yii log and it states “Failed to set unsafe attribute…” but there was no error added to the model like other rules do.

Model code:

public function rules()


   return array(




controller code

public function actionUpdate($id)


   $model = $this->loadModel($id);

   $body = file_get_contents('php://input');

   $model->attributes = CJSON::decode( $body );

   if( $model->save() )

      $this::sendResponse(200, $model);


      $this::sendResponse(400, $model->errors);


in the above code $model->save() always evaluates to true when I try to modify the unsafe attribute.

Any suggestions?

Hi ardetrick

I think safe and unsafe validators don’t add errors in models

I checked the files CSafeValidator.php CUnsafeValidator.php on framework/validators folder and I confirmed it.

but what exactly you want to do?

check also this wiki to full understanding of ‘unsafe’ validator usability.



Thanks for your help!

I also took a look at the source code and saw no place where an error was being attached. However, according to the documentation there should be an error attached when it does not pass.

You can see this at http://www.yiiframework.com/doc/api/1.1/CUnsafeValidator under the validateAttribute() description

[indent]Validates the attribute of the object. If there is any error, the error message is added to the object.


Also the source code for this function is empty. Why is that?

I want an error to be attached so that upon failure to update a specific attribute I can alert the user that they are not allowed to do that.

I thing you are right!

we are waiting an answer for Yii developers

Currently you could make your custom validator to do that


I suggest you to read the following wiki article to understand what safe validator is used for:


Thanks for you input CeBe, after reading that article I think I understand why ‘unsafe’ does not explicitly attach an error. Correct me if I am wrong but if it did attach errors then on almost any update where the entire object was given in the POST it would likely attach an error because you wouldn’t want the ID or Password field to be updated (if those were indeed in the body) but they had to be included for other reasons like perhaps security or something.

Thanks for the help.