fix(database): validate lockForUpdate query restrictions

- add driver validation for Postgre and OCI8 unsupported query shapes
- reject lockForUpdate with union queries across supported builders
- track Query Builder aggregate helper selections for lock validation
- document row-locking restrictions and add focused builder coverage

Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com>

Author: memleakd

system/Database/BaseBuilder.php

@@ -115,6 +115,11 @@ class BaseBuilder
      */
     protected bool $QBLockForUpdate = false;
 
+    /**
+     * QB SELECT aggregate helper flag
+     */
+    protected bool $QBSelectUsesAggregate = false;
+
     /**
      * QB ORDER BY data
      *
@@ -547,8 +552,9 @@ protected function maxMinAvgSum(string $select = '', string $alias = '', string
 
         $sql = $type . '(' . $this->db->protectIdentifiers(trim($select)) . ') AS ' . $this->db->escapeIdentifiers(trim($alias));
 
-        $this->QBSelect[]   = $sql;
-        $this->QBNoEscape[] = null;
+        $this->QBSelect[]            = $sql;
+        $this->QBNoEscape[]          = null;
+        $this->QBSelectUsesAggregate = true;
 
         return $this;
     }
@@ -3254,6 +3260,10 @@ protected function compileSelect($selectOverride = false): string
      */
     protected function compileLockForUpdate(): string
     {
+        if ($this->QBLockForUpdate && $this->QBUnion !== []) {
+            throw new DatabaseException('Query Builder does not support lockForUpdate() with union() or unionAll().');
+        }
+
         return $this->QBLockForUpdate ? "\nFOR UPDATE" : '';
     }
 
@@ -3564,18 +3574,19 @@ protected function resetRun(array $qbResetItems)
     protected function resetSelect()
     {
         $this->resetRun([
-            'QBSelect'        => [],
-            'QBJoin'          => [],
-            'QBWhere'         => [],
-            'QBGroupBy'       => [],
-            'QBHaving'        => [],
-            'QBOrderBy'       => [],
-            'QBNoEscape'      => [],
-            'QBDistinct'      => false,
-            'QBLimit'         => false,
-            'QBOffset'        => false,
-            'QBLockForUpdate' => false,
-            'QBUnion'         => [],
+            'QBSelect'              => [],
+            'QBJoin'                => [],
+            'QBWhere'               => [],
+            'QBGroupBy'             => [],
+            'QBHaving'              => [],
+            'QBOrderBy'             => [],
+            'QBNoEscape'            => [],
+            'QBDistinct'            => false,
+            'QBLimit'               => false,
+            'QBOffset'              => false,
+            'QBLockForUpdate'       => false,
+            'QBSelectUsesAggregate' => false,
+            'QBUnion'               => [],
         ]);
 
         if ($this->db instanceof BaseConnection) {

system/Database/OCI8/Builder.php

@@ -218,10 +218,18 @@ protected function _limit(string $sql, bool $offsetIgnore = false): string
      */
     protected function compileLockForUpdate(): string
     {
-        if ($this->QBLockForUpdate && ($this->QBLimit !== false || $this->QBOffset)) {
+        if (! $this->QBLockForUpdate) {
+            return '';
+        }
+
+        if ($this->QBLimit !== false || $this->QBOffset) {
             throw new DatabaseException('OCI8 does not support lockForUpdate() with limit() or offset().');
         }
 
+        if ($this->QBDistinct || $this->QBGroupBy !== [] || $this->QBHaving !== [] || $this->QBSelectUsesAggregate) {
+            throw new DatabaseException('OCI8 does not support lockForUpdate() with distinct(), groupBy(), having(), or aggregate helper selections.');
+        }
+
         return parent::compileLockForUpdate();
     }
 

system/Database/Postgre/Builder.php

@@ -62,6 +62,22 @@ protected function compileIgnore(string $statement)
         return $sql;
     }
 
+    /**
+     * Compile the SELECT lock clause.
+     */
+    protected function compileLockForUpdate(): string
+    {
+        if (! $this->QBLockForUpdate) {
+            return '';
+        }
+
+        if ($this->QBDistinct || $this->QBGroupBy !== [] || $this->QBHaving !== [] || $this->QBSelectUsesAggregate) {
+            throw new DatabaseException('Postgre does not support lockForUpdate() with distinct(), groupBy(), having(), or aggregate helper selections.');
+        }
+
+        return parent::compileLockForUpdate();
+    }
+
     /**
      * ORDER BY
      *

system/Database/SQLSRV/Builder.php

@@ -703,6 +703,10 @@ protected function compileLockForUpdate(): string
             throw new DatabaseException('SQLSRV does not support lockForUpdate() without a FROM table.');
         }
 
+        if ($this->QBUnion !== []) {
+            throw new DatabaseException('Query Builder does not support lockForUpdate() with union() or unionAll().');
+        }
+
         foreach ($this->QBFrom as $value) {
             if (str_starts_with($value, '(SELECT')) {
                 throw new DatabaseException('SQLSRV does not support lockForUpdate() on subqueries.');

tests/system/Database/Builder/SelectTest.php

@@ -17,6 +17,7 @@
 use CodeIgniter\Database\Exceptions\DatabaseException;
 use CodeIgniter\Database\Exceptions\DataException;
 use CodeIgniter\Database\OCI8\Builder as OCI8Builder;
+use CodeIgniter\Database\Postgre\Builder as PostgreBuilder;
 use CodeIgniter\Database\RawSql;
 use CodeIgniter\Database\SQLite3\Builder as SQLite3Builder;
 use CodeIgniter\Database\SQLSRV\Builder as SQLSRVBuilder;
@@ -417,6 +418,28 @@ public function testLockForUpdateResetsWithSelect(): void
         $this->assertSame('SELECT * FROM "users"', str_replace("\n", ' ', $builder->getCompiledSelect()));
     }
 
+    public function testLockForUpdateThrowsExceptionWithUnion(): void
+    {
+        $builder = new BaseBuilder('users', $this->db);
+
+        $this->expectException(DatabaseException::class);
+        $this->expectExceptionMessage('Query Builder does not support lockForUpdate() with union() or unionAll().');
+
+        $builder->union(new BaseBuilder('jobs', $this->db))->lockForUpdate()->getCompiledSelect();
+    }
+
+    public function testLockForUpdateThrowsExceptionWithSQLSRVUnion(): void
+    {
+        $this->db = new MockConnection(['DBDriver' => 'SQLSRV', 'database' => 'test', 'schema' => 'dbo']);
+
+        $builder = new SQLSRVBuilder('users', $this->db);
+
+        $this->expectException(DatabaseException::class);
+        $this->expectExceptionMessage('Query Builder does not support lockForUpdate() with union() or unionAll().');
+
+        $builder->union(new SQLSRVBuilder('jobs', $this->db))->lockForUpdate()->getCompiledSelect();
+    }
+
     public function testLockForUpdateWithOCI8(): void
     {
         $builder = new OCI8Builder('users', $this->db);
@@ -436,6 +459,66 @@ public function testLockForUpdateThrowsExceptionWithOCI8Limit(): void
         $builder->limit(1)->lockForUpdate()->getCompiledSelect();
     }
 
+    #[DataProvider('provideLockForUpdateUnsupportedSelectClauses')]
+    public function testLockForUpdateThrowsExceptionWithOCI8SelectClause(string $clause): void
+    {
+        $builder = new OCI8Builder('users', $this->db);
+
+        $this->expectException(DatabaseException::class);
+        $this->expectExceptionMessage('OCI8 does not support lockForUpdate() with distinct(), groupBy(), having(), or aggregate helper selections.');
+
+        $this->applyLockForUpdateUnsupportedClause($builder, $clause)
+            ->lockForUpdate()
+            ->getCompiledSelect();
+    }
+
+    public function testLockForUpdateWithPostgre(): void
+    {
+        $builder = new PostgreBuilder('users', $this->db);
+
+        $expected = 'SELECT * FROM "users" FOR UPDATE';
+
+        $this->assertSame($expected, str_replace("\n", ' ', $builder->lockForUpdate()->getCompiledSelect()));
+    }
+
+    #[DataProvider('provideLockForUpdateUnsupportedSelectClauses')]
+    public function testLockForUpdateThrowsExceptionWithPostgreSelectClause(string $clause): void
+    {
+        $builder = new PostgreBuilder('users', $this->db);
+
+        $this->expectException(DatabaseException::class);
+        $this->expectExceptionMessage('Postgre does not support lockForUpdate() with distinct(), groupBy(), having(), or aggregate helper selections.');
+
+        $this->applyLockForUpdateUnsupportedClause($builder, $clause)
+            ->lockForUpdate()
+            ->getCompiledSelect();
+    }
+
+    /**
+     * @return iterable<string, list<string>>
+     */
+    public static function provideLockForUpdateUnsupportedSelectClauses(): iterable
+    {
+        yield 'distinct' => ['distinct'];
+
+        yield 'groupBy' => ['groupBy'];
+
+        yield 'having' => ['having'];
+
+        yield 'aggregate selection' => ['aggregate'];
+    }
+
+    private function applyLockForUpdateUnsupportedClause(BaseBuilder $builder, string $clause): BaseBuilder
+    {
+        return match ($clause) {
+            'distinct'  => $builder->distinct(),
+            'groupBy'   => $builder->groupBy('role'),
+            'having'    => $builder->having('COUNT(id) >', 1, false),
+            'aggregate' => $builder->selectCount('id'),
+            default     => throw new DatabaseException('Unsupported clause: ' . $clause),
+        };
+    }
+
     public function testLockForUpdateThrowsExceptionOnSQLite3(): void
     {
         $builder = new SQLite3Builder('users', $this->db);

user_guide_src/source/database/query_builder.rst

@@ -777,18 +777,25 @@ Use this method inside a database transaction. The exact locking behavior is
 determined by the database server and transaction isolation level.
 
 This method is supported by the **MySQLi**, **Postgre**, **OCI8**, and
-**SQLSRV** drivers. Unsupported drivers throw a ``DatabaseException``. See the
-following notes for OCI8 and SQLSRV driver-specific behavior.
+**SQLSRV** drivers. Unsupported drivers throw a ``DatabaseException``.
+``lockForUpdate()`` is not supported with ``union()`` or ``unionAll()``.
+Some databases restrict which query shapes can be used with row locking. When
+CodeIgniter can detect an unsupported combination, it throws a
+``DatabaseException``. See the following warnings for driver-specific behavior.
+
+.. warning:: Postgre does not support ``lockForUpdate()`` with ``distinct()``,
+    ``groupBy()``, ``having()``, or aggregate helper selections such as
+    ``selectCount()``.
 
 .. warning:: SQLSRV uses SQL Server table hints instead of a trailing ``FOR UPDATE``
     clause. The hint is applied to table references in the ``FROM`` clause;
     joined tables are not hinted. Its exact lock granularity depends on SQL
     Server's execution plan and transaction isolation level. SQLSRV does not
     support ``lockForUpdate()`` without a ``FROM`` table or on subqueries.
 
-.. warning:: OCI8 does not support ``lockForUpdate()`` together with ``limit()`` or
-    ``offset()`` because Oracle does not allow ``FOR UPDATE`` with row
-    limiting.
+.. warning:: OCI8 does not support ``lockForUpdate()`` together with
+    ``limit()``, ``offset()``, ``distinct()``, ``groupBy()``, ``having()``, or
+    aggregate helper selections such as ``selectCount()``.
 
 .. _query-builder-union: