When creating or updating information from a request, in the background the code has to pass data from the user to the database in some way. If we use the example of registering a user the data might look like this. ``` user { 'name': 'example', 'email': '[email protected]' } ``` Behind the scenes within the database there could be more fields for example there could be a `is_admin` field. ``` user { 'name': 'example', 'email': '[email protected]' 'is_admin': 'true' } ``` If the code creating or updating a user passes the entire requests payload without first authorising whether they should be able to set an admin, then this would result in a mass assignment issue because anyone would be able to change their status.