Prevent Attribute accessors from running for non-arrayable attributes

eanderson43 · eanderson43 · commit d3e9177e4d39 · 2025-12-07T12:10:39.000-05:00
Ensure that Attribute-based accessors are only invoked for arrayable
attributes during model serialization. This prevents hidden / non-visible
attributes from triggering accessors as a side-effect of toArray() /
toJson(), which can cause unnecessary work or unexpected exceptions.

- Derive mutated attributes only from arrayable keys via
  getArrayableMutatedAttributes().
- Lazily resolve Attribute accessors in hasAttributeGetMutator() and
  cache the result per class/key.
- Avoid invoking Attribute methods in getAttributeMarkedMutatorMethods();
  inspect return types only.
- Use the new Attribute-based mutator path consistently in
  mutateAttributeForArray().

Includes tests covering:
- non-visible Attribute accessors not being called
- visible Attribute accessors being called
- hidden Attribute accessors not being called
- set-only Attribute mutators not breaking serialization
diff --git a/src/Illuminate/Database/Eloquent/Concerns/HasAttributes.php b/src/Illuminate/Database/Eloquent/Concerns/HasAttributes.php
@@ -221,8 +221,11 @@ public function attributesToArray()
             $attributes = $this->getArrayableAttributes()
         );
 
+        // Important: derive mutated attributes *only* from the arrayable keys
+        $mutatedAttributes = $this->getArrayableMutatedAttributes($attributes);
+
         $attributes = $this->addMutatedAttributesToArray(
-            $attributes, $mutatedAttributes = $this->getMutatedAttributes()
+            $attributes, $mutatedAttributes
         );
 
         // Next we will handle any casts that have been setup for this model and cast
@@ -679,15 +682,24 @@ public function hasAttributeMutator($key)
      */
     public function hasAttributeGetMutator($key)
     {
-        if (isset(static::$getAttributeMutatorCache[get_class($this)][$key])) {
-            return static::$getAttributeMutatorCache[get_class($this)][$key];
+        $class = get_class($this);
+
+        if (array_key_exists($key, static::$getAttributeMutatorCache[$class] ?? [])) {
+            return static::$getAttributeMutatorCache[$class][$key];
         }
 
+        // First, ensure there's actually an Attribute-returning method
         if (! $this->hasAttributeMutator($key)) {
-            return static::$getAttributeMutatorCache[get_class($this)][$key] = false;
+            return static::$getAttributeMutatorCache[$class][$key] = false;
         }
 
-        return static::$getAttributeMutatorCache[get_class($this)][$key] = is_callable($this->{Str::camel($key)}()->get);
+        // Lazy evaluation: only now do we resolve and inspect the Attribute
+        try {
+            $attribute = $this->{Str::camel($key)}();
+            return static::$getAttributeMutatorCache[$class][$key] = is_callable($attribute->get);
+        } catch (\Throwable $e) {
+            return static::$getAttributeMutatorCache[$class][$key] = false;
+        }
     }
 
     /**
@@ -752,14 +764,14 @@ protected function mutateAttributeForArray($key, $value)
     {
         if ($this->isClassCastable($key)) {
             $value = $this->getClassCastableAttributeValue($key, $value);
-        } elseif (isset(static::$getAttributeMutatorCache[get_class($this)][$key]) &&
-                  static::$getAttributeMutatorCache[get_class($this)][$key] === true) {
+        } elseif ($this->hasAttributeGetMutator($key)) {
+            // Attribute::make(get: ...)
             $value = $this->mutateAttributeMarkedAttribute($key, $value);
 
-            $value = $value instanceof DateTimeInterface
-                ? $this->serializeDate($value)
-                : $value;
-        } else {
+            if ($value instanceof DateTimeInterface) {
+                $value = $this->serializeDate($value);
+            }
+        } elseif ($this->hasGetMutator($key)) {
             $value = $this->mutateAttribute($key, $value);
         }
 
@@ -2437,6 +2449,20 @@ public function getMutatedAttributes()
         return static::$mutatorCache[static::class];
     }
 
+    protected function getArrayableMutatedAttributes(array $attributes): array
+    {
+        $keys = array_keys($attributes);
+
+        if ($keys === []) {
+            return [];
+        }
+
+        // Only consider keys that are actually arrayable *and* have a mutator
+        return array_values(array_filter($keys, function ($key) {
+            return $this->hasAnyGetMutator($key);
+        }));
+    }
+
     /**
      * Extract and cache all the mutated attributes of a class.
      *
@@ -2449,8 +2475,17 @@ public static function cacheMutatedAttributes($classOrInstance)
 
         $class = $reflection->getName();
 
-        static::$getAttributeMutatorCache[$class] = (new Collection($attributeMutatorMethods = static::getAttributeMarkedMutatorMethods($classOrInstance)))
-            ->mapWithKeys(fn ($match) => [lcfirst(static::$snakeAttributes ? Str::snake($match) : $match) => true])
+        // Get Attribute return type methods without invoking them (lazy caching)
+        $attributeMutatorMethods = static::getAttributeMarkedMutatorMethods($classOrInstance);
+
+        // Initialize cache with method names but don't set to true yet
+        // This allows us to know which methods might be Attribute mutators
+        // without invoking them. The actual 'get' callable check happens lazily
+        // in hasAttributeGetMutator() when the attribute is actually accessed.
+        static::$getAttributeMutatorCache[$class] = (new Collection($attributeMutatorMethods))
+            ->mapWithKeys(fn ($match) => [
+                lcfirst(static::$snakeAttributes ? Str::snake($match) : $match) => null
+            ])
             ->all();
 
         static::$mutatorCache[$class] = (new Collection(static::getMutatorMethods($class)))
@@ -2482,17 +2517,9 @@ protected static function getAttributeMarkedMutatorMethods($class)
     {
         $instance = is_object($class) ? $class : new $class;
 
-        return (new Collection((new ReflectionClass($instance))->getMethods()))->filter(function ($method) use ($instance) {
-            $returnType = $method->getReturnType();
-
-            if ($returnType instanceof ReflectionNamedType &&
-                $returnType->getName() === Attribute::class) {
-                if (is_callable($method->invoke($instance)->get)) {
-                    return true;
-                }
-            }
-
-            return false;
-        })->map->name->values()->all();
+        return (new Collection((new ReflectionClass($instance))->getMethods()))
+            ->filter(fn ($method) => $method->getReturnType() instanceof ReflectionNamedType &&
+                $method->getReturnType()->getName() === Attribute::class)
+            ->map->name->values()->all();
     }
 }
diff --git a/tests/Database/DatabaseEloquentModelTest.php b/tests/Database/DatabaseEloquentModelTest.php
@@ -3546,6 +3546,115 @@ public function testDefaultBuilderIsUsedWhenUseEloquentBuilderAttributeIsNotPres
 
         $this->assertNotInstanceOf(CustomBuilder::class, $eloquentBuilder);
     }
+
+    public function testAccessorsNotCalledForNonVisibleAttributes()
+    {
+        $model = new class extends Model {
+            protected $visible = ['id', 'name'];
+            protected $attributes = ['id' => 1, 'name' => 'Test'];
+            
+            public $locationAccessorCalled = false;
+            public $timezoneAccessorCalled = false;
+            
+            protected function location(): Attribute
+            {
+                $this->locationAccessorCalled = true;
+                return Attribute::make(
+                    get: fn () => 'Paris',
+                );
+            }
+            
+            protected function timezone(): Attribute
+            {
+                $this->timezoneAccessorCalled = true;
+                return Attribute::make(
+                    get: fn () => 'Europe/Paris',
+                );
+            }
+        };
+        
+        $array = $model->toArray();
+        
+        $this->assertFalse($model->locationAccessorCalled, 'Location accessor should not be called for non-visible attributes');
+        $this->assertFalse($model->timezoneAccessorCalled, 'Timezone accessor should not be called for non-visible attributes');
+        $this->assertArrayNotHasKey('location', $array);
+        $this->assertArrayNotHasKey('timezone', $array);
+        $this->assertEquals(['id' => 1, 'name' => 'Test'], $array);
+    }
+
+    public function testAccessorsCalledForVisibleAttributes()
+    {
+        $model = new class extends Model {
+            protected $visible = ['id', 'name', 'location'];
+            protected $attributes = ['id' => 1, 'name' => 'Test', 'location' => 'original'];
+            
+            public $locationAccessorCalled = false;
+            
+            protected function location(): Attribute
+            {
+                $this->locationAccessorCalled = true;
+                return Attribute::make(
+                    get: fn ($value) => 'Paris',
+                );
+            }
+        };
+        
+        $array = $model->toArray();
+        
+        $this->assertTrue($model->locationAccessorCalled, 'Location accessor should be called for visible attributes');
+        $this->assertArrayHasKey('location', $array);
+        $this->assertEquals('Paris', $array['location']);
+        $this->assertEquals(['id' => 1, 'name' => 'Test', 'location' => 'Paris'], $array);
+    }
+
+    public function testAccessorsNotCalledForHiddenAttributes()
+    {
+        $model = new class extends Model {
+            protected $hidden = ['location'];
+            protected $attributes = ['id' => 1, 'name' => 'Test', 'location' => 'original'];
+            
+            public $locationAccessorCalled = false;
+            
+            protected function location(): Attribute
+            {
+                $this->locationAccessorCalled = true;
+                return Attribute::make(
+                    get: fn ($value) => 'Paris',
+                );
+            }
+        };
+        
+        $array = $model->toArray();
+        
+        $this->assertFalse($model->locationAccessorCalled, 'Location accessor should not be called for hidden attributes');
+        $this->assertArrayNotHasKey('location', $array);
+        $this->assertEquals(['id' => 1, 'name' => 'Test'], $array);
+    }
+
+    public function testSetOnlyAttributeMutatorDoesNotBreakSerialization() 
+    {
+        $model = new Class extends Model {
+            protected $visible = ['id', 'name', 'foo'];
+            protected $attributes = ['id' => 1, 'name' => 'Test', 'foo' => 'ORIGINAL'];
+
+            protected function foo(): Attribute
+            {
+                return Attribute::make(
+                    set: function ($value) {
+                        return ['foo' => strtolower($value)];
+                    }
+                );
+            }
+        };
+
+        // Set the attribute using the set mutator
+        $model->foo = 'BAR';
+
+        $array = $model->toArray();
+
+        // Should not crash, and should still include foo with whatever raw value is stored.
+        $this->assertArrayHasKey('foo', $array);
+    }
 }
 
 class CustomBuilder extends Builder
