What effect does $hidden have exactly in eloquent model?

Question

I'm currently fiddling around with Lumen and Im using eloquent for my DB interaction. I've read through the docs of Eloquent and there was this explanation about hidden attributes:

Sometimes you may wish to limit the attributes, such as passwords, that are included in your model's array or JSON representation. To do so, add a $hidden property to your model:

<?php

namespace App;

use Illuminate\Database\Eloquent\Model;

class User extends Model
{
    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = ['password'];
}



Alternatively, you may use the visible property to define a white-list of attributes that should be included in your model's array and JSON representation. All other attributes will be hidden when the model is converted to an array or JSON:

I don't understand what implications this has. If I have a query where a password is being inserted, should I hide it? Or will this cause the password not to appear at all inside my model instance?

For example, I have the following User Model:

<?php

namespace App;

use Illuminate\Auth\Authenticatable;
use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract;
use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
use Illuminate\Database\Eloquent\Model;
use Laravel\Lumen\Auth\Authorizable;

class User extends Model implements AuthenticatableContract, AuthorizableContract
{
  use Authenticatable, Authorizable;

  //protected $table = 'user';

  /**
   * The attributes that are mass assignable.
   *
   * @var array
   */
  protected $fillable = ['name', 'email', 'role'];

  /**
   * The attributes excluded from the model's JSON form.
   *
   * @var array
   */
  protected $hidden = ['password'];

  public $timestamps = false;
}

I'm now running a controller which shall insert name, email, password and role of a new user into users table. Here you can see the table: https://i.sstatic.net/T3I2n.jpg

Now, when accessing my model to insert a new row like this: User::create($requestData);

something goes wrong... The password doesnt get inserted. I debugged the input, the data is there, the JSON String of the input right before the insertion takes place looks like this:

{"name":"tester1","email":"test.tester1@tested.de","password":"3627909a29c31381a071ec27f7c9ca97726182aed29a7ddd2e54353322cfb30abb9e3a6df2ac2c20fe23436311d678564d0c8d305930575f60e2d3d048184d79","role":"Benutzer"}

the password was hashed using php function hash("sha512", $password);. Its based on "12345", just for testing :D :P The hashed password has, as expected, the required length of 128 characters.

Any idea if this behavior is caused by the password attribute being defined as hidden in the model?

EDIT: This is how I hash my password:

$requestData["password"] = hash("sha512", $requestData["password"]);

Answer 1

protected $hidden is an array and is a Model class parameter, that what it does is hide that columns (in the array) from the database in the queries results. In your example, $hidden = ['password'] make invisible 'password' column in user results.

https://laravel.com/api/6.x/Illuminate/Database/Eloquent/Model.html 'protected array $hidden The attributes that should be hidden for serialization.'

Answer 2

The password won't get inserted as you don't have password in your $fillable array.

The $fillable array is to protect against mass assignment. If you are "filling" the models attributes from an array you will need to add the attribute name to this array.

That being said I would actually recommend you don't add password to the $fillable array and instead explicitly set the password on the model:

$user = new User($requestData);
$user->password = $requestData["password"];
$user->save();

---

As mentioned in the comments, the $hidden attribute is purely for when the model is cast to an array or converted to JSON so it shouldn't have an affect on inserts (or anything else).