Test POST and PUT endpoints for mass assignment by adding unexpected fields. Can you set `is_admin: true`, `plan: "enterprise"`, `commission_rate: 0`, or `verified: true` in API requests? - In GraphQL mutations, test whether the input type accepts fields beyond what the documentation specifies.