Document CakePHP 5.4 features

- Migration guide: RequestToDto, FormProtection convenience methods,
  new query expression methods, nested array marshalling, inputId
  template variable
- Query builder: notBetween(), inOrNull(), notInOrNull(),
  isDistinctFrom(), isNotDistinctFrom()
- FormProtection: unlockActions() and unlockFields() methods
- Dependency injection: Request to DTO mapping with #[RequestToDto]
- ORM saving: nested array format for associated marshalling
- FormHelper: {{inputId}} template variable

Author: dereuromark

docs/en/appendices/5-4-migration-guide.md

@@ -49,6 +49,138 @@ $this->hasMany('Comments', [
 
 ## New Features
 
+### Controller
+
+#### RequestToDto Attribute
+
+A new ``#[RequestToDto]`` attribute enables automatic mapping of request data to
+Data Transfer Objects in controller actions. This provides a clean way to handle
+form data with type safety:
+
+```php
+use Cake\Controller\Attribute\RequestToDto;
+
+class UsersController extends AppController
+{
+    public function create(#[RequestToDto] UserCreateDto $dto): void
+    {
+        // $dto is automatically populated from request data
+        $user = $this->Users->newEntity([
+            'email' => $dto->email,
+            'name' => $dto->name,
+        ]);
+    }
+}
+```
+
+Your DTO class must implement a static ``createFromArray()`` method:
+
+```php
+class UserCreateDto
+{
+    public function __construct(
+        public string $email,
+        public string $name,
+    ) {
+    }
+
+    public static function createFromArray(array $data): self
+    {
+        return new self(
+            email: $data['email'] ?? '',
+            name: $data['name'] ?? '',
+        );
+    }
+}
+```
+
+The attribute supports configuring the data source:
+
+```php
+use Cake\Controller\Attribute\Enum\RequestToDtoSource;
+
+// Use query string parameters
+public function search(
+    #[RequestToDto(source: RequestToDtoSource::Query)] SearchDto $dto
+): void {}
+
+// Use POST body data
+public function create(
+    #[RequestToDto(source: RequestToDtoSource::Body)] CreateDto $dto
+): void {}
+
+// Merge query and body (body takes precedence)
+public function update(
+    #[RequestToDto(source: RequestToDtoSource::Request)] UpdateDto $dto
+): void {}
+
+// Auto-detect based on request method (default)
+public function handle(
+    #[RequestToDto(source: RequestToDtoSource::Auto)] DataDto $dto
+): void {}
+```
+
+#### FormProtection Convenience Methods
+
+``FormProtectionComponent`` now has convenience methods for unlocking actions
+and fields:
+
+```php
+// In your controller's beforeFilter()
+$this->FormProtection->unlockActions(['api', 'webhook']);
+$this->FormProtection->unlockFields(['dynamic_field', 'optional_field']);
+
+// With merge option (default is true)
+$this->FormProtection->unlockActions('newAction', merge: true);
+$this->FormProtection->unlockFields(['field1', 'field2'], merge: false);
+```
+
+### Database
+
+#### Query Expression Methods
+
+New convenience methods have been added to ``QueryExpression``:
+
+- ``notBetween()`` for ``NOT BETWEEN`` expressions:
+
+  ```php
+  $query = $articles->find()
+      ->where(function (QueryExpression $exp) {
+          return $exp->notBetween('view_count', 100, 1000);
+      });
+  // WHERE view_count NOT BETWEEN 100 AND 1000
+  ```
+
+- ``inOrNull()`` for ``(field IN (...) OR field IS NULL)`` patterns:
+
+  ```php
+  $query = $articles->find()
+      ->where(function (QueryExpression $exp) {
+          return $exp->inOrNull('category_id', [1, 2, 3]);
+      });
+  // WHERE (category_id IN (1, 2, 3) OR category_id IS NULL)
+  ```
+
+- ``isDistinctFrom()`` and ``isNotDistinctFrom()`` for null-safe comparisons:
+
+  ```php
+  $query = $articles->find()
+      ->where(function (QueryExpression $exp) {
+          // True when values differ, treating NULL as a comparable value
+          return $exp->isDistinctFrom('status', 'published');
+      });
+  // WHERE status IS DISTINCT FROM 'published'
+  // MySQL uses: NOT (status <=> 'published')
+
+  $query = $articles->find()
+      ->where(function (QueryExpression $exp) {
+          // True when values are equal, treating NULL = NULL as true
+          return $exp->isNotDistinctFrom('category_id', null);
+      });
+  // WHERE category_id IS NOT DISTINCT FROM NULL
+  // MySQL uses: category_id <=> NULL
+  ```
+
 ### I18n
 
 - `Number::toReadableSize()` now calculates decimal units (KB, MB, GB and TB)
@@ -58,9 +190,59 @@ to KiB, MiB, GiB, and TiB as defined in ISO/IEC 80000-13. It is possible to
 switch between the two units using a new optional boolean parameter in
 `Number::toReadableSize()`, as well as the new global setter `Number::setUseIecUnits()`.
 
+### ORM
+
+#### Nested Array Format for Marshalling
+
+The ``associated`` option in ``newEntity()`` and ``patchEntity()`` now supports
+the same nested array format as ``contain()``:
+
+```php
+// Nested arrays (new in 5.4)
+$entity = $articles->newEntity($data, [
+    'associated' => [
+        'Tags',
+        'Comments' => [
+            'Users',
+            'Attachments',
+        ],
+    ],
+]);
+
+// Mixed with options
+$entity = $articles->newEntity($data, [
+    'associated' => [
+        'Tags' => ['onlyIds' => true],
+        'Comments' => [
+            'Users',
+            'validate' => 'special',
+        ],
+    ],
+]);
+```
+
+CakePHP distinguishes associations from options using naming conventions:
+- Association names use PascalCase (e.g., ``Users``, ``Comments``)
+- Option keys use camelCase (e.g., ``onlyIds``, ``validate``)
+
 ### Utility
 
 - New `Cake\Utility\Fs\Finder` class provides a fluent, iterator-based API for
   discovering files and directories with support for pattern matching, depth
   control, and custom filters. The `Cake\Utility\Fs\Path` class offers
   cross-platform utilities for path manipulation.
+
+### View
+
+#### FormHelper Template Variables
+
+The ``inputContainer`` and ``error`` templates now receive an ``{{inputId}}``
+variable containing the input element's HTML id attribute. This is useful for
+generating related element IDs for ARIA attributes or custom JavaScript:
+
+```php
+$this->Form->setTemplates([
+    'inputContainer' => '<div class="input {{type}}{{required}}" id="{{inputId}}-container">{{content}}</div>',
+    'error' => '<div class="error" id="{{inputId}}-error">{{content}}</div>',
+]);
+```

docs/en/controllers/components/form-protection.md

@@ -140,6 +140,51 @@ class WidgetController extends AppController
 
 This example would disable all security checks for the edit action.
 
+You can also use the convenience method ``unlockActions()``:
+
+```php
+public function beforeFilter(EventInterface $event): void
+{
+    parent::beforeFilter($event);
+
+    // Unlock a single action
+    $this->FormProtection->unlockActions('edit');
+
+    // Unlock multiple actions
+    $this->FormProtection->unlockActions(['edit', 'api', 'webhook']);
+
+    // Replace existing unlocked actions instead of merging
+    $this->FormProtection->unlockActions(['newAction'], merge: false);
+}
+```
+
+::: info Added in version 5.4.0
+:::
+
+## Unlocking fields
+
+To unlock specific fields from validation, you can use the ``unlockFields()``
+convenience method:
+
+```php
+public function beforeFilter(EventInterface $event): void
+{
+    parent::beforeFilter($event);
+
+    // Unlock a single field
+    $this->FormProtection->unlockFields('dynamic_field');
+
+    // Unlock multiple fields
+    $this->FormProtection->unlockFields(['optional_field', 'ajax_field']);
+
+    // Dot notation for nested fields
+    $this->FormProtection->unlockFields('user.preferences');
+}
+```
+
+::: info Added in version 5.4.0
+:::
+
 ## Handling validation failure through callbacks
 
 If form protection validation fails it will result in a 400 error by default.

docs/en/development/dependency-injection.md

@@ -425,6 +425,106 @@ database. Because this service is injected into our controller, we can easily
 swap the implementation out with a mock object or a dummy sub-class when
 testing.
 
+## Request to DTO Mapping
+
+CakePHP supports automatic mapping of request data to Data Transfer Objects (DTOs)
+using the `#[RequestToDto]` attribute. This provides a clean, type-safe way to
+handle form data in controller actions:
+
+```php
+use Cake\Controller\Attribute\RequestToDto;
+
+class UsersController extends AppController
+{
+    public function create(#[RequestToDto] UserCreateDto $dto): void
+    {
+        // $dto is automatically populated from request data
+        $user = $this->Users->newEntity([
+            'email' => $dto->email,
+            'name' => $dto->name,
+        ]);
+
+        if ($this->Users->save($user)) {
+            $this->Flash->success('User created');
+            return $this->redirect(['action' => 'index']);
+        }
+    }
+}
+```
+
+Your DTO class must implement a static `createFromArray()` method:
+
+```php
+namespace App\Dto;
+
+class UserCreateDto
+{
+    public function __construct(
+        public string $email,
+        public string $name,
+        public ?string $phone = null,
+    ) {
+    }
+
+    public static function createFromArray(array $data): self
+    {
+        return new self(
+            email: $data['email'] ?? '',
+            name: $data['name'] ?? '',
+            phone: $data['phone'] ?? null,
+        );
+    }
+}
+```
+
+### Configuring the Data Source
+
+By default, the attribute auto-detects the data source based on the request method
+(query params for GET, body data for POST/PUT/PATCH). You can explicitly configure
+the source using the `RequestToDtoSource` enum:
+
+```php
+use Cake\Controller\Attribute\RequestToDto;
+use Cake\Controller\Attribute\Enum\RequestToDtoSource;
+
+class ArticlesController extends AppController
+{
+    // Use query string parameters
+    public function search(
+        #[RequestToDto(source: RequestToDtoSource::Query)] SearchCriteriaDto $criteria
+    ): void {
+        $articles = $this->Articles->find()
+            ->where(['title LIKE' => "%{$criteria->query}%"])
+            ->limit($criteria->limit);
+    }
+
+    // Use POST body data explicitly
+    public function create(
+        #[RequestToDto(source: RequestToDtoSource::Body)] ArticleCreateDto $dto
+    ): void {
+        // ...
+    }
+
+    // Merge query params and body data (body takes precedence)
+    public function update(
+        int $id,
+        #[RequestToDto(source: RequestToDtoSource::Request)] ArticleUpdateDto $dto
+    ): void {
+        // ...
+    }
+}
+```
+
+The available source options are:
+
+- `RequestToDtoSource::Auto` - Auto-detect based on request method (default)
+- `RequestToDtoSource::Query` - Use query string parameters
+- `RequestToDtoSource::Body` - Use POST/PUT body data
+- `RequestToDtoSource::Request` - Merge query params and body data
+
+::: info Added in version 5.4.0
+:::
+
 ## Command Example
 
 ```php