distinct validation rule can protect nested request payloads from duplicate reference values before they corrupt relationship mapping. He also highlights the strict and ignore_case options for cases where loose comparison is not enough.
Read more]]>
Here's a typical setup in a controller:
use Spatie\QueryBuilder\AllowedFilter; use Spatie\QueryBuilder\QueryBuilder; $users = QueryBuilder::for(User::class) ->allowedFilters( AllowedFilter::partial('name'), AllowedFilter::exact('status'), ) ->get();
With that in place, the package wires up two filters that clients can use through the query string.
A request to /users?filter[name]=john runs:
SELECT * FROM users WHERE LOWER(name) LIKE '%john%'
A request to /users?filter[status]=active runs:
SELECT * FROM users WHERE status = 'active'
And a request to /users?filter[name]=john&filter[status]=active runs:
SELECT * FROM users WHERE LOWER(name) LIKE '%john%' AND status = 'active'
Multiple filters in the URL are joined with AND. That's the default and it's what you want most of the time.
The word "allowed" in allowedFilters is doing real work. If a client tries to filter by something you haven't whitelisted, the package throws an InvalidFilterQuery exception instead of silently ignoring it or, worse, letting it through. So a request to /users?filter[email]=acme.com against the controller above results in:
Spatie\QueryBuilder\Exceptions\InvalidFilterQuery Requested filter(s) `email` are not allowed. Allowed filter(s) are `name, status`.
The exception has a 400 Bad Request status code, so by default Laravel renders it as a clean error response to the client. You don't have to do anything special to get this behavior.
Now imagine you want a single search box that matches across multiple columns. The user types "john" and you want to find rows where either the name or the email contains that value.
Before v7.3.0, you'd reach for a custom callback filter:
$users = QueryBuilder::for(User::class) ->allowedFilters( AllowedFilter::exact('status'), AllowedFilter::callback('q', function ($query, $value) { $query->where('name', 'LIKE', "%{$value}%") ->orWhere('email', 'LIKE', "%{$value}%"); }), ) ->get();
Looks fine at a glance. But a request to /users?filter[status]=active&filter[q]=john runs:
SELECT * FROM users WHERE status = 'active' AND name LIKE '%john%' OR email LIKE '%john%'
Spot the bug. The OR binds looser than the AND, so this matches every row whose email contains "john", including inactive users. To fix it, you have to wrap the callback's wheres in their own nested closure. It's an easy thing to forget, and it silently returns wrong data when you do.
In v7.3.0, this becomes a one-liner. Here's how you register a group filter:
$users = QueryBuilder::for(User::class) ->allowedFilters( AllowedFilter::groupOr('q', [ AllowedFilter::partial('name'), AllowedFilter::partial('email'), ]), ) ->get();
A request to /users?filter[q]=john now runs:
SELECT * FROM users WHERE (LOWER(name) LIKE '%john%' OR LOWER(email) LIKE '%john%')
The value john is passed to every member of the group, and the conjunction joins them. There's also AllowedFilter::groupAnd() if you want all members to match instead.
Groups compose cleanly with the rest of your filters. Here's a setup that has both a top-level status filter and a group:
$users = QueryBuilder::for(User::class) ->allowedFilters( AllowedFilter::exact('status'), AllowedFilter::groupOr('q', [ AllowedFilter::partial('name'), AllowedFilter::partial('email'), ]), ) ->get();
A request to /users?filter[status]=active&filter[q]=john runs:
SELECT * FROM users WHERE status = 'active' AND (LOWER(name) LIKE '%john%' OR LOWER(email) LIKE '%john%')
The whole group is wrapped in its own parentheses, so the OR can never leak into the status clause. That's the bug pattern that used to bite people who rolled their own callback filter for cross-column search.
You can also register multiple independent groups. Each one becomes its own wrapped scope, and they're joined with AND between them. The members can be any AllowedFilter type, so you can mix partial, exact, scope, and other filters in the same group.
The upgrade is fully non-breaking. All existing filter behavior is unchanged. The new feature is documented in the filtering docs, and the pull request by Birtan Taşkın has the full reasoning behind the design.
This is one of the many packages we've created at Spatie. If you want to support our open source work, consider picking up one of our paid products.
]]>spatie/laravel-sluggable package has been around for close to a decade. A slug is the readable part of a URL that identifies a record, like announcing-laravel-sluggable-v4-with-self-healing-urls in this post's URL. The package generates one for any Eloquent model when you save it, derived from a title or another text field, and most of the time you don't have to think about it.
We just released v4, which adds a few things worth talking about. Let me walk you through them.
For most models, slug generation is mechanical. Pick a source field, pick a destination field, done. In v4, you can express that with an attribute on the model.
use Spatie\Sluggable\Attributes\Sluggable; use Illuminate\Database\Eloquent\Model; #[Sluggable(from: 'title', to: 'slug')] class Post extends Model { }
That's it. No trait, no getSlugOptions() method. Save a Post and the package fills in the slug:
$post = Post::create(['title' => 'ActiveRecord is awesome']); $post->slug; // "activerecord-is-awesome"
Picture this. You publish a new post titled "Anouncing v4 of laravel-sluggable". The slug becomes anouncing-v4-of-laravel-sluggable, you share the link, a few people bookmark it. Five minutes later you notice the missing n and fix the title. The slug regenerates to announcing-v4-of-laravel-sluggable, and now everyone who clicked the first version hits a 404.
The usual answer is a redirects table: store the old slug, forward it to the new one. It works, but every rename adds a row, and after a while it's another moving piece to maintain.
Self-healing URLs solve this differently. The route key combines the slug with the primary key, so the slug is decorative and the id is what actually identifies the record.
use Spatie\Sluggable\Attributes\Sluggable; use Spatie\Sluggable\HasSlug; use Illuminate\Database\Eloquent\Model; #[Sluggable(from: 'title', to: 'slug', selfHealing: true)] class Post extends Model { use HasSlug; }
If your post has slug hello-world and id 5, the URL becomes /posts/hello-world-5. Rename the post to Greetings, World and the canonical URL becomes /posts/greetings-world-5. Old links keep working because the package can still find the record by id, and it sends a permanent redirect to the new canonical URL.
The redirect status code is 308 Permanent Redirect. In v3 it was 301. The reason for the change is that 301 is allowed to silently downgrade PUT, PATCH, and DELETE to GET when followed, which gets you a 405 Method Not Allowed if the new URL doesn't accept GET. 308 keeps the method intact.
Slug generation and the self-healing URL format are now expressed as three actions: one for generating the slug, one for building the self-healing route key, and one for parsing it back out. All three can be swapped through config/sluggable.php. The example below customizes the two self-healing actions; the slug generator stays on its default behavior.
The use case I had in mind was self-healing URLs that put the id first. Say you want /posts/5-hello-world instead of /posts/hello-world-5. Extend the default builder action and put the identifier in front:
namespace App\Sluggable; use Spatie\Sluggable\Actions\BuildSelfHealingRouteKeyAction; class IdFirstBuildAction extends BuildSelfHealingRouteKeyAction { public function execute(string $slug, int|string $identifier, string $separator): string { if ($slug === '') { return (string) $identifier; } return "{$identifier}{$separator}{$slug}"; } }
The extractor needs the inverse logic. The default action looks for the last separator, because slugs can contain the separator themselves, so swap it for one that reads the identifier from the front:
namespace App\Sluggable; use Illuminate\Support\Str; use Spatie\Sluggable\Actions\ExtractIdentifierFromSelfHealingRouteKeyAction; class IdFirstExtractAction extends ExtractIdentifierFromSelfHealingRouteKeyAction { public function execute(string $value, string $separator): array { $identifier = Str::before($value, $separator); if ($identifier === $value || ! ctype_digit($identifier)) { return ['slug' => $value, 'identifier' => null]; } return [ 'slug' => Str::after($value, $separator), 'identifier' => $identifier, ]; } }
Str::before returns the original string when the separator isn't present, which is how the no-separator case is detected. The ctype_digit check rejects values where the prefix isn't numeric, so models with non-numeric primary keys like ULIDs need to swap that for a regex.
Wire both into the config and you're done:
// config/sluggable.php 'build_self_healing_route_key' => App\Sluggable\IdFirstBuildAction::class, 'extract_identifier_from_self_healing_route_key' => App\Sluggable\IdFirstExtractAction::class,
The full reference, including a simpler uppercase variant and a custom slug generator, lives in the overriding actions docs.
Laravel Boost is an MCP server from the Laravel team that exposes your application's installed packages and versions to your AI assistant, so prompts produce code that fits your stack instead of generic Laravel snippets. Packages can bundle their own Boost skills, and Boost discovers them automatically.
This package ships with a sluggable-development skill that walks your assistant through adding a sluggable model: picking the source field, deciding whether you need self-healing URLs, generating the migration, and dropping the attribute or trait on the model. If you have Boost installed, this is the easiest way to add a new sluggable model to your project.
You can find the package on GitHub and the full documentation on our docs site. Coming from v3? The upgrade guide covers the breaking changes (mostly minimum versions and a callable to Closure migration).
This is one of many packages we've built at Spatie. If you want to support our open source work, consider picking up one of our paid products.
]]>In Flare, Mailcoach, and Oh Dear we use it to build audit logs, so we can track what users are doing: who changed a setting, who deleted a project, who invited a team member. If you need something similar in your app, this package makes it easy.
This major release requires PHP 8.4+ and Laravel 12+, and brings a cleaner API, a better database schema, and customizable internals. Let me walk you through what the package can do and what's new in v5.
At its core, the package lets you log what happens in your application. The simplest usage looks like this:
activity()->log('Look mum, I logged something');
You can retrieve all logged activities using the Activity model:
use Spatie\Activitylog\Models\Activity; $lastActivity = Activity::all()->last(); // returns 'Look mum, I logged something' $lastActivity->description;
Most of the time you want to know two things: what was affected, and who did it. The package calls these the subject and the causer. You can also attach custom properties for any extra context you need:
activity() ->performedOn($article) ->causedBy($user) ->withProperties(['via' => 'admin-panel']) ->log('edited'); $lastActivity = Activity::all()->last(); // the article that was edited $lastActivity->subject; // the user who edited it $lastActivity->causer; // 'admin-panel' $lastActivity->getProperty('via');
The Activity model provides query scopes to filter your activity log:
Activity::forSubject($newsItem)->get(); Activity::causedBy($user)->get(); Activity::forEvent('updated')->get(); Activity::inLog('payment')->get(); // or combine them Activity::forSubject($newsItem) ->causedBy($user) ->forEvent('updated') ->get();
Imagine you want to track whenever a model is created, updated, or deleted. Just add the LogsActivity trait to your model. In v5, that's all you need for basic logging:
use Illuminate\Database\Eloquent\Model; use Spatie\Activitylog\Models\Concerns\LogsActivity; class NewsItem extends Model { use LogsActivity; }
That's it. No getActivitylogOptions() method needed. Now imagine you also want to track which attributes changed. Override the method and tell it what to watch:
use Spatie\Activitylog\Support\LogOptions; class NewsItem extends Model { use LogsActivity; protected $fillable = ['name', 'text']; public function getActivitylogOptions(): LogOptions { return LogOptions::defaults() ->logOnly(['name', 'text']); } }
Now when you update a news item, the package tracks exactly what changed:
$newsItem->name = 'updated name'; $newsItem->save(); $activity = Activity::all()->last(); $activity->attribute_changes; // [ // 'attributes' => [ // 'name' => 'updated name', // 'text' => 'Lorem', // ], // 'old' => [ // 'name' => 'original name', // 'text' => 'Lorem', // ], // ]
You can log all fillable attributes with logFillable(), all unguarded attributes with logUnguarded(), or use logAll() combined with logExcept() to log everything except sensitive fields like passwords.
If you only want to see what actually changed rather than all tracked attributes, chain logOnlyDirty().
When a model event is logged, you can hook into the process by defining a beforeActivityLogged() method on your model:
class NewsItem extends Model { use LogsActivity; public function beforeActivityLogged(Activity $activity, string $eventName): void { $activity->properties = $activity->properties->merge([ 'ip_address' => request()->ip(), ]); } }
This runs right before the activity is persisted, giving you a chance to enrich it with extra data.
The core operations of the package (logging activities and cleaning old records) are now handled by action classes. You can extend these and swap them in via config.
For example, say you want to save activities to the queue instead of writing them to the database during the request. Extend the action and override the save() method:
use Spatie\Activitylog\Actions\LogActivityAction; class QueuedLogAction extends LogActivityAction { protected function save(Model $activity): void { dispatch(new SaveActivityJob($activity->toArray())); } }
Then tell the package to use your custom action in config/activitylog.php:
'actions' => [ 'log_activity' => QueuedLogAction::class, ],
You can also override transformChanges() to manipulate the changes array before saving. Here's an example that redacts password changes so they never end up in your activity log:
use Illuminate\Database\Eloquent\Model; use Illuminate\Support\Arr; use Spatie\Activitylog\Actions\LogActivityAction; class RedactSensitiveFieldsAction extends LogActivityAction { protected function transformChanges(Model $activity): void { $changes = $activity->attribute_changes?->toArray() ?? []; Arr::forget($changes, ['attributes.password', 'old.password']); $activity->attribute_changes = collect($changes); } }
Say you have an endpoint that updates product prices in bulk. Each product update triggers a model event, and each model event logs an activity. With 200 products, that's 200 INSERT queries just for activity logging.
foreach ($products as $product) { // each update triggers an activity INSERT query $product->update(['price' => $newPrices[$product->id]]); }
With buffering enabled, the package collects all those activities in memory during the request and inserts them in a single bulk query after the response has been sent to the client. Your user gets a fast response, and the database does one insert instead of 200.
Buffering is off by default. You can enable it in the config/activitylog.php config file. No other code changes needed. All existing logging code (both automatic model event logging and manual activity()->log() calls) will be buffered automatically.
Under the hood, the ActivityBuffer class collects activities in an array and inserts them all at once when flushed:
class ActivityBuffer { protected array $pending = []; public function add(Model $activity): void { $this->pending[] = $this->prepareForInsert($activity); } public function flush(): void { if (empty($this->pending)) { return; } $modelClass = Config::activityModel(); $modelClass::query()->insert($this->pending); $this->pending = []; } }
The service provider takes care of flushing the buffer at the right time:
protected function registerActivityBufferFlushing(): void { // flush after the response has been sent $this->app->terminating(fn () => app(ActivityBuffer::class)->flush()); // flush after each queued job $this->app['events']->listen( [JobProcessed::class, JobFailed::class], fn () => app(ActivityBuffer::class)->flush(), ); // safety net if the application terminates unexpectedly register_shutdown_function(function () { try { app(ActivityBuffer::class)->flush(); } catch (\Throwable) { } }); }
One thing to be aware of: buffered activities won't have a database ID until the buffer is flushed. If you need to read back the activity ID immediately after logging, don't enable buffering.
This works with Octane (the buffer is a scoped binding, so it resets between requests) and queues out of the box.
v5 doesn't bring a lot of new features, but it modernizes the package, cleans up the internals, and makes the things that were hard to customize in v4 easy to swap out. If you're upgrading from v4, be aware that there are quite a few breaking changes. Check the upgrade guide for the full list.
You can find the complete documentation at spatie.be/docs/laravel-activitylog and the source code on GitHub.
This is one of the many packages we've created at Spatie. If you want to support our open source work, consider picking up one of our paid products.
]]>Our query builder takes care of all of that. It reads query parameters from the URL, translates them into the right Eloquent queries, and makes sure only the things you've explicitly allowed can be queried.
// GET /users?filter[name]=John&include=posts&sort=-created_at $users = QueryBuilder::for(User::class) ->allowedFilters('name') ->allowedIncludes('posts') ->allowedSorts('created_at') ->get(); // select * from users where name = 'John' order by created_at desc
This major version requires PHP 8.3+ and Laravel 12 or higher, and brings a cleaner API along with some features we've been wanting to add for a while.
Let me walk you through how the package works and what's new.
The idea is simple: your API consumers pass query parameters in the URL, and the package translates those into the right Eloquent query. You just define what's allowed.
Say you have a User model and you want to let API consumers filter by name. Here's all you need:
use Spatie\QueryBuilder\QueryBuilder; $users = QueryBuilder::for(User::class) ->allowedFilters('name') ->get();
Now when someone requests /users?filter[name]=John, the package adds the appropriate WHERE clause to the query:
select * from users where name = 'John'
Only the filters you've explicitly allowed will work. If someone tries /users?filter[secret_column]=something, the package throws an InvalidFilterQuery exception. Your database schema stays hidden from API consumers.
You can allow multiple filters at once and combine them with sorting:
$users = QueryBuilder::for(User::class) ->allowedFilters('name', 'email') ->allowedSorts('name', 'created_at') ->get();
A request to /users?filter[name]=John&sort=-created_at now filters by name and sorts by created_at descending (the - prefix means descending).
Including relationships works the same way. If you want consumers to be able to eager-load a user's posts:
$users = QueryBuilder::for(User::class) ->allowedFilters('name', 'email') ->allowedIncludes('posts', 'permissions') ->allowedSorts('name', 'created_at') ->get();
A request to /users?include=posts&filter[name]=John&sort=-created_at now returns users named John, sorted by creation date, with their posts eager-loaded.
You can also select specific fields to keep your responses lean:
$users = QueryBuilder::for(User::class) ->allowedFields('id', 'name', 'email') ->allowedIncludes('posts') ->get();
With /users?fields=id,email&include=posts, only the id and email columns are selected.
The QueryBuilder extends Laravel's default Eloquent builder, so all your favorite methods still work. You can combine it with existing queries:
$query = User::where('active', true); $users = QueryBuilder::for($query) ->withTrashed() ->allowedFilters('name') ->allowedIncludes('posts', 'permissions') ->where('score', '>', 42) ->get();
The query parameter names follow the JSON API specification as closely as possible. This means you get a consistent, well-documented API surface without having to think about naming conventions.
All the allowed* methods now accept variadic arguments instead of arrays.
// Before (v6) QueryBuilder::for(User::class) ->allowedFilters(['name', 'email']) ->allowedSorts(['name']) ->allowedIncludes(['posts']); // After (v7) QueryBuilder::for(User::class) ->allowedFilters('name', 'email') ->allowedSorts('name') ->allowedIncludes('posts');
If you have a dynamic list, use the spread operator:
$filters = ['name', 'email']; QueryBuilder::for(User::class)->allowedFilters(...$filters);
This is the biggest new feature. You can now include aggregate values for related models using AllowedInclude::min(), AllowedInclude::max(), AllowedInclude::sum(), and AllowedInclude::avg(). Under the hood, these map to Laravel's withMin(), withMax(), withSum() and withAvg() methods.
use Spatie\QueryBuilder\AllowedInclude; $users = QueryBuilder::for(User::class) ->allowedIncludes( 'posts', AllowedInclude::count('postsCount'), AllowedInclude::sum('postsViewsSum', 'posts', 'views'), AllowedInclude::avg('postsViewsAvg', 'posts', 'views'), ) ->get();
A request to /users?include=posts,postsCount,postsViewsSum now returns users with their posts, the post count, and the total views across all posts.
You can constrain these aggregates too. For example, to only count published posts:
use Spatie\QueryBuilder\AllowedInclude; use Illuminate\Database\Eloquent\Builder; $users = QueryBuilder::for(User::class) ->allowedIncludes( AllowedInclude::count( 'publishedPostsCount', 'posts', fn (Builder $query) => $query->where('published', true) ), AllowedInclude::sum( 'publishedPostsViewsSum', 'posts', 'views', constraint: fn (Builder $query) => $query->where('published', true) ), ) ->get();
All four aggregate types support these constraint closures, making it possible to build endpoints that return computed data alongside your models without writing custom query logic.
Laravel 13 is adding built-in support for JSON:API resources. These new JsonApiResource classes handle the serialization side: they produce responses compliant with the JSON:API specification.
You create one by adding the --json-api flag:
php artisan make:resource PostResource --json-api
This generates a resource class where you define attributes and relationships:
use Illuminate\Http\Resources\JsonApi\JsonApiResource; class PostResource extends JsonApiResource { public $attributes = [ 'title', 'body', 'created_at', ]; public $relationships = [ 'author', 'comments', ]; }
Return it from your controller, and Laravel produces a fully compliant JSON:API response:
{ "data": { "id": "1", "type": "posts", "attributes": { "title": "Hello World", "body": "This is my first post." }, "relationships": { "author": { "data": { "id": "1", "type": "users" } } } }, "included": [ { "id": "1", "type": "users", "attributes": { "name": "Taylor Otwell" } } ] }
Clients can request specific fields and includes via query parameters like /api/posts?fields[posts]=title&include=author. Laravel's JSON:API resources handle all of that on the response side.
The Laravel docs explicitly mention our package as a companion:
Laravel's JSON:API resources handle the serialization of your responses. If you also need to parse incoming JSON:API query parameters such as filters and sorts, Spatie's Laravel Query Builder is a great companion package.
So while Laravel's new JSON:API resources take care of the output format, our query builder handles the input side: parsing filter, sort, include and fields parameters from the request and translating them into the right Eloquent queries. Together they give you a full JSON:API implementation with very little boilerplate.
To upgrade from v6, check the upgrade guide. The changes are mostly mechanical. Check the guide for the full list.
You can find the full source code and documentation on GitHub. We also have extensive documentation on the Spatie website.
This is one of the many packages we've created at Spatie. If you want to support our open source work, consider picking up one of our paid products.
]]>Our spatie/invade package provides a tiny invade function that lets you read, write, and call private members on any object.
You probably shouldn't reach for this package often. It's most useful in tests or when you're building a package that needs to integrate deeply with objects you don't control.
Let me walk you through how it works.
Imagine you have a class with private members:
class MyClass { private string $privateProperty = 'private value'; private function privateMethod(): string { return 'private return value'; } }
If you try to access that private property from outside the class, PHP will stop you:
$myClass = new MyClass(); $myClass->privateProperty; // Error: Cannot access private property MyClass::$privateProperty
With invade, you can get around that. Install the package via composer:
composer require spatie/invade
Now you can read that private property:
// returns 'private value' invade($myClass)->privateProperty;
You can set it too:
invade($myClass)->privateProperty = 'changed value'; // returns 'changed value' invade($myClass)->privateProperty;
And you can call private methods:
// returns 'private return value' invade($myClass)->privateMethod();
The API is clean and reads well. But the interesting part is what happens under the hood. Before we look at the package code, there's a PHP rule you need to know about first.
Let me walk you through how the package works internally. We'll first look at the old approach using reflection, and then the current solution that uses closure binding.
In v1 of the package, we used PHP's Reflection API to access private members. Here's what the Invader class looked like:
class Invader { public object $obj; public ReflectionClass $reflected; public function __construct(object $obj) { $this->obj = $obj; $this->reflected = new ReflectionClass($obj); } public function __get(string $name): mixed { $property = $this->reflected->getProperty($name); $property->setAccessible(true); return $property->getValue($this->obj); } }
When you create an Invader, it wraps your object and creates a ReflectionClass for it. When you try to access a property like invade($myClass)->privateProperty, PHP triggers the __get magic method. It uses the reflection instance to find the property by name, calls setAccessible(true) on it, and then reads the value from the original object. The setAccessible(true) call tells PHP to skip the visibility check for that reflected property. Without it, trying to read a private property through reflection would throw an error, just like accessing it directly.
This worked fine, but it required creating a ReflectionClass instance and calling setAccessible(true) on every property or method you wanted to access. In v2, we replaced all of this with a much simpler approach using closures. To understand how, we first need to look at a lesser-known PHP visibility rule.
In PHP, private visibility is scoped to the class, not to a specific object instance. Any code running inside a class can access the private properties and methods of any instance of that class.
Here's a concrete example:
class Wallet { public function __construct( private int $balance ) { } public function hasMoreThan(Wallet $other): bool { // This works: we can read $other's private $balance // because we're inside the Wallet class scope return $this->balance > $other->balance; } } $mine = new Wallet(100); $yours = new Wallet(50); // returns true $mine->hasMoreThan($yours);
Notice how hasMoreThan reads $other->balance directly, even though $balance is private. This compiles and runs without errors because the code is running inside the Wallet class. PHP doesn't care which instance the property belongs to. As long as you're in the right class scope, all private members of all instances of that class are accessible.
This is the foundation that makes v2 of the invade package work. If you can get your code to run inside the scope of the target class, you get access to its private members. PHP closures give us a way to do exactly that.
PHP closures carry the scope of the class they were defined in. But the Closure::call() method lets you change that. It temporarily rebinds $this inside the closure to a different object, and it also changes the scope to the class of that object.
$readBalance = fn () => $this->balance; $wallet = new Wallet(100); // returns 100 $readBalance->call($wallet);
Even though $balance is private, this works. The ->call($wallet) method binds the closure to the $wallet object and puts it in the Wallet class scope. When PHP evaluates $this->balance, it sees that the code is running in the scope of Wallet, so it allows the access.
This is the entire trick that invade v2 is built on. Now let's look at the actual code.
When you call invade($object), it returns an Invader instance that wraps your object. The current version of the Invader class is surprisingly small:
class Invader { public function __construct( public object $obj ) { } public function __get(string $name): mixed { return (fn () => $this->{$name})->call($this->obj); } public function __set(string $name, mixed $value): void { (fn () => $this->{$name} = $value)->call($this->obj); } public function __call(string $name, array $params = []): mixed { return (fn () => $this->{$name}(...$params))->call($this->obj); } }
That's the entire class. No reflection, no complex tricks. Just PHP magic methods and closures.
When you write invade($myClass)->privateProperty, the invade function creates a new Invader instance. PHP can't find privateProperty on the Invader class, so it triggers __get('privateProperty'). The __get method creates a short closure fn () => $this->{$name} and calls it with ->call($this->obj). As we just learned, this binds $this inside the closure to your original object and puts the closure in that object's class scope. PHP then evaluates $this->privateProperty inside the scope of MyClass, and the private access is allowed.
The __set method uses the same pattern, but assigns a value instead of reading one:
(fn () => $this->{$name} = $value)->call($this->obj);
The $value variable is captured from the enclosing scope of the __set method, so it's available inside the closure.
For calling private methods, __call follows the same approach:
return (fn () => $this->{$name}(...$params))->call($this->obj);
The closure calls the method by name, spreading the parameters. Since ->call() binds the closure to the target object, PHP sees this as a call from within the class itself, and the private method becomes accessible.
The invade package is a fun example of how PHP closures and scope binding can bypass visibility restrictions in a clean way. It's a small trick, but understanding why it works teaches you something interesting about how PHP handles class scope and closure binding.
The original idea for the invade function came from Caleb Porzio, who first introduced it as a helper in Livewire to replace a more verbose ObjectPrybar class. We liked the concept so much that we turned it into its own package.
Just remember: use it sparingly. It works great in tests or when you're building a package that needs deep integration with objects you don't control. In your regular project code, you probably don't need invade.
You can find the package on GitHub. This is one of the many packages we've created at Spatie. If you want to support our open source work, consider picking up one of our paid products.
]]>