When creating or updating information from a request, in the background the code has to pass data from the user to the database in some way.
If we use the example of registering a user the data might look like this.
```
user {
'name': 'example',
'email': '
[email protected]'
}
```
Behind the scenes within the database there could be more fields for example there could be a `is_admin` field.
```
user {
'name': 'example',
'email': '
[email protected]'
'is_admin': 'true'
}
```
If the code creating or updating a user passes the entire requests payload without first authorising whether they should be able to set an admin, then this would result in a mass assignment issue because anyone would be able to change their status.