fix for unsafe validator

Closes #8145 #8139 #11153

framework/base/Model.php

@@ -754,7 +754,7 @@ class Model extends Component implements IteratorAggregate, ArrayAccess, Arrayab
         }
         $attributes = [];
         foreach ($scenarios[$scenario] as $attribute) {
-            if ($attribute[0] !== '!') {
+            if ($attribute[0] !== '!' && !in_array('!' . $attribute, $scenarios[$scenario])) {
                 $attributes[] = $attribute;
             }
         }

framework/validators/Validator.php

@@ -231,9 +231,22 @@ class Validator extends Component
     public function validateAttributes($model, $attributes = null)
     {
         if (is_array($attributes)) {
-            $attributes = array_intersect($this->attributes, $attributes);
+            $newAttributes = [];
+            foreach ($attributes as $attribute) {
+                if(in_array($attribute, $this->attributes) || in_array('!' . $attribute, $this->attributes)){
+                    $newAttributes[] = $attribute;
+                }
+            }
+            $attributes = $newAttributes;
         } else {
-            $attributes = $this->attributes;
+            $attributes = [];
+            foreach ($this->attributes as $attribute) {
+                if($attribute[0] === '!'){
+                    $attributes[] = substr($attribute, 1);
+                } else {
+                    $attributes[] = $attribute;
+                }
+            }
         }
         foreach ($attributes as $attribute) {
             $skip = $this->skipOnError && $model->hasErrors($attribute)

tests/framework/base/ModelTest.php

@@ -175,6 +175,50 @@ class ModelTest extends TestCase
         $model->scenario = 'create';
         $this->assertEquals(['account_id', 'user_id', 'email', 'name'], $model->safeAttributes());
         $this->assertEquals(['account_id', 'user_id', 'email', 'name'], $model->activeAttributes());
+
+        $model = new RulesModel();
+        $model->rules = [
+            [['name','!email'], 'required'],
+        ];
+        $this->assertEquals(['name'], $model->safeAttributes());
+        $this->assertEquals(['name', 'email'], $model->activeAttributes());
+        $model->attributes = ['name' => 'mdmunir', 'email' => 'mdm@mun.com'];
+        $this->assertNull($model->email);
+        $this->assertFalse($model->validate());
+
+        $model = new RulesModel();
+        $model->rules = [
+            [['name'], 'required'],
+            [['!user_id'], 'default', 'value' => '3426'],
+        ];
+        $model->attributes = ['name' => 'mdmunir', 'user_id' => '62792684'];
+        $this->assertTrue($model->validate());
+        $this->assertEquals('3426', $model->user_id);
+
+        $model = new RulesModel();
+        $model->rules = [
+            [['name', 'email'], 'required'],
+            [['!email'], 'safe']
+        ];
+        $this->assertEquals(['name'], $model->safeAttributes());
+        $model->attributes = ['name' => 'mdmunir', 'email' => 'm2792684@mdm.com'];
+        $this->assertFalse($model->validate());
+
+        $model = new RulesModel();
+        $model->rules = [
+            [['name', 'email'], 'required'],
+            [['email'], 'email'],
+            [['!email'], 'safe', 'on' => 'update']
+        ];
+        $model->setScenario(RulesModel::SCENARIO_DEFAULT);
+        $this->assertEquals(['name', 'email'], $model->safeAttributes());
+        $model->attributes = ['name' => 'mdmunir', 'email' => 'm2792684@mdm.com'];
+        $this->assertTrue($model->validate());
+        
+        $model->setScenario('update');
+        $this->assertEquals(['name'], $model->safeAttributes());
+        $model->attributes = ['name' => 'D426', 'email' => 'd426@mdm.com'];
+        $this->assertNotEquals('d426@mdm.com', $model->email);
     }
 
     public function testErrors()