cakephp · markstory · Aug 21, 2025 · Aug 18, 2025
diff --git a/en/appendices/5-3-migration-guide.rst b/en/appendices/5-3-migration-guide.rst
@@ -113,6 +113,13 @@ Mailer
 - Added ``Message::addAttachment()`` for adding attachments to a message. Like
   other message methods, it can be accessed via the ``Mailer`` instance as ``$mailer->addAttachment()``.
 
+ORM
+---
+
+- ``Table::patchEntity()``, ``Table::newEntity()``, ``Marshaller::one()`` and
+  ``Marshaller::many()`` now accept a ``strictFields`` option that only applies
+  validation to the fields listed in the ``fields`` option.
+
 Routing
 -------
 

diff --git a/en/orm/saving-data.rst b/en/orm/saving-data.rst
@@ -713,6 +713,23 @@ Using this feature is handy when you have many different functions your users
 can access and you want to let your users edit different data based on their
 privileges.
 
+When using the ``fields`` option, validation will be applied to all fields in
+the request data. You can limit validation to only the allowed fields by passing
+``strictFields`` to the ``patchEntity()`` or ``newEntity()`` call::
+
+    // Contains ['user_id' => 100, 'title' => 'Hacked!'];
+    $data = $this->request->getData();
+
+    // Only title will be validated and updated.
+    $entity = $this->patchEntity($entity, $data, [
+        'fields' => ['title'],
+        'strictFields' => true,
+    ]);
+    $this->save($entity);
+
+.. versionadded:: 5.3.0
+    The ``strictFields`` option was added in 5.3.0.
+
 .. _saving-entities:
 
 Saving Entities