Challenge 3: Spot the Mass Assignment Risk — Possible Solution ==================================================================== # BEFORE — vulnerable from django import forms from .models import UserProfile class UserProfileForm(forms.ModelForm): class Meta: model = UserProfile fields = "__all__" # ⚠️ includes is_verified, not just bio/avatar_url # AFTER — safe explicit allowlist class UserProfileForm(forms.ModelForm): class Meta: model = UserProfile fields = ["bio", "avatar_url"] # is_verified deliberately excluded WHAT REAL-WORLD EXPLOIT THE ORIGINAL VERSION WAS VULNERABLE TO ------------------------------------------------------------------ Because HTML form data is just a flat set of key/value pairs submitted by the client, an attacker can add EXTRA fields to a POST request beyond what the rendered