Merge pull request #6203 from ADmad/widgets-2

Widgets with empty name values should not break secured forms.

src/View/Helper/FormHelper.php

@@ -617,10 +617,14 @@ class FormHelper extends Helper
      * @param string|array $field Reference to field to be secured. Can be dot
      *   separated string to indicate nesting or array of fieldname parts.
      * @param mixed $value Field value, if value should not be tampered with.
-     * @return mixed|null Not used yet
+     * @return void
      */
     protected function _secure($lock, $field, $value = null)
     {
+        if (empty($field) && $field !== '0') {
+            return;
+        }
+
         if (is_string($field)) {
             $field = Hash::filter(explode('.', $field));
         }
@@ -2385,11 +2389,15 @@ class FormHelper extends Helper
      * fieldname parts like ['Model', 'field'] is returned.
      *
      * @param string $name The form inputs name attribute.
-     * @return string|array|null Dot separated string like Foo.bar, array of filename
-     *   params like ['Model', 'field'] or null if options does not contain name.
+     * @return array Array of field name params like ['Model.field'] or
+     *   ['Model', 'field'] for array fields or empty array if $name is empty.
      */
     protected function _secureFieldName($name)
     {
+        if (empty($name) && $name !== '0') {
+            return [];
+        }
+
         if (strpos($name, '[') === false) {
             return [$name];
         }

src/View/Widget/SelectBoxWidget.php

@@ -129,9 +129,6 @@ class SelectBoxWidget implements WidgetInterface
             'val' => null,
         ];
 
-        if (empty($data['name'])) {
-            throw new \RuntimeException('Cannot make inputs with empty name attributes.');
-        }
         $options = $this->_renderContent($data);
         $name = $data['name'];
         unset($data['name'], $data['options'], $data['empty'], $data['val'], $data['escape']);

tests/TestCase/View/Helper/FormHelperTest.php

@@ -263,6 +263,25 @@ class FormHelperTest extends TestCase
     }
 
     /**
+     * Test that empty string is not added to secure fields list when
+     * rendering input widget without name.
+     *
+     * @return void
+     */
+    public function testRenderingWidgetWithEmptyName()
+    {
+        $this->assertEquals([], $this->Form->fields);
+
+        $result = $this->Form->widget('select', ['secure' => true, 'name' => '']);
+        $this->assertEquals('<select name=""></select>', $result);
+        $this->assertEquals([], $this->Form->fields);
+
+        $result = $this->Form->widget('select', ['secure' => true, 'name' => '0']);
+        $this->assertEquals('<select name="0"></select>', $result);
+        $this->assertEquals(['0'], $this->Form->fields);
+    }
+
+    /**
      * Test registering an invalid widget class.
      *
      * @expectedException \RuntimeException