`$fillable` doesn't know if it's the admin panel or the customer API calling `Order::create()` - so fields like `is_forced_processing` or `is_from_api` are equally "allowed" for everyone. This post explains why mass assignment breaks down in large Laravel projects and how the DTO + Action pattern fixes it.
dev.to/tegos/fillable-has-no-context-why-mass-assignment-breaks-down-at-scale-3lmj
Back
