Expected Findings
- PATCH endpoint merges arbitrary fields into the user record.
- `is_admin` and `org_id` are writable from any client.
- No allow-list of editable fields is enforced.
Profile API
Mass Assignment
The profile update spreads `req.body` directly into the user record, so a client can set `is_admin` or `org_id` by adding the field.
Profile elevate
Primary Flows
- Patch profile PATCH {is_admin:true} elevates
- Current user Shows post-merge state
Signals
Code
Object.assign(user, req.body); await user.save()