Problem Statement
You must prevent mass assignment across many endpoints. What practical pattern would you apply?
Explanation
Create a request DTO that lists only allowed fields per role and endpoint. Validate and strip unknown fields before mapping to the model. Keep the mapping explicit and unit test it. This way, even if the database model adds new columns, they are not exposed automatically.
Review logs for blocked fields to spot probing. Document the allowed fields so both devs and testers know the contract.
Code Solution
SolutionRead Only
const allowed = pick(req.body, ['email','displayName']); updateUser(userId, allowed);
