Fixes #5001: `yii\rest\CreateAction`, `yii\rest\UpdateAction` and…

framework/CHANGELOG.md

@@ -92,6 +92,7 @@ Yii Framework 2 Change Log
 - Bug #4920: `yii\filters\auth\CompositeAuth` should not trigger error as long as one of the methods succeeds (qiangxue)
 - Bug #4954: MSSQL column comments are not retrieved correctly (SerjRamone)
 - Bug #4970: `joinWith()` called by a relation was ignored by `yii\db\ActiveQuery` (stepanselyuk)
+- Bug #5001: `yii\rest\CreateAction`, `yii\rest\UpdateAction` and `yii\rest\DeleteAction` should throw 500 error if the model operation returns false without validation errors (qiangxue)
 - Bug: Fixed inconsistent return of `\yii\console\Application::runAction()` (samdark)
 - Bug: URL encoding for the route parameter added to `\yii\web\UrlManager` (klimov-paul)
 - Bug: Fixed the bug that requesting protected or private action methods would cause 500 error instead of 404 (qiangxue)

framework/rest/CreateAction.php

@@ -10,6 +10,7 @@ namespace yii\rest;
 use Yii;
 use yii\base\Model;
 use yii\helpers\Url;
+use yii\web\ServerErrorHttpException;
 
 /**
  * CreateAction implements the API endpoint for creating a new model from the given data.
@@ -51,6 +52,8 @@ class CreateAction extends Action
             $response->setStatusCode(201);
             $id = implode(',', array_values($model->getPrimaryKey(true)));
             $response->getHeaders()->set('Location', Url::toRoute([$this->viewAction, 'id' => $id], true));
+        } elseif (!$model->hasErrors()) {
+            throw new ServerErrorHttpException('Failed to create the object for unknown reason.');
         }
 
         return $model;

framework/rest/DeleteAction.php

@@ -8,6 +8,7 @@
 namespace yii\rest;
 
 use Yii;
+use yii\web\ServerErrorHttpException;
 
 /**
  * DeleteAction implements the API endpoint for deleting a model.
@@ -29,7 +30,9 @@ class DeleteAction extends Action
             call_user_func($this->checkAccess, $this->id, $model);
         }
 
-        $model->delete();
+        if ($model->delete() === false) {
+            throw new ServerErrorHttpException('Failed to delete the object for unknown reason.');
+        }
 
         Yii::$app->getResponse()->setStatusCode(204);
     }

framework/rest/UpdateAction.php

@@ -10,6 +10,7 @@ namespace yii\rest;
 use Yii;
 use yii\base\Model;
 use yii\db\ActiveRecord;
+use yii\web\ServerErrorHttpException;
 
 /**
  * UpdateAction implements the API endpoint for updating a model.
@@ -42,7 +43,9 @@ class UpdateAction extends Action
 
         $model->scenario = $this->scenario;
         $model->load(Yii::$app->getRequest()->getBodyParams(), '');
-        $model->save();
+        if ($model->save() === false && !$model->hasErrors()) {
+            throw new ServerErrorHttpException('Failed to update the object for unknown reason.');
+        }
 
         return $model;
     }

framework/web/ServerErrorHttpException.php

+<?php
+/**
+ * @link http://www.yiiframework.com/
+ * @copyright Copyright (c) 2008 Yii Software LLC
+ * @license http://www.yiiframework.com/license/
+ */
+
+namespace yii\web;
+
+/**
+ * ServerErrorHttpException represents an "Internal Server Error" HTTP exception with status code 500.
+ *
+ * @author Qiang Xue <qiang.xue@gmail.com>
+ * @since 2.0
+ */
+class ServerErrorHttpException extends HttpException
+{
+    /**
+     * Constructor.
+     * @param string $message error message
+     * @param integer $code error code
+     * @param \Exception $previous The previous exception used for the exception chaining.
+     */
+    public function __construct($message = null, $code = 0, \Exception $previous = null)
+    {
+        parent::__construct(500, $message, $code, $previous);
+    }
+}