diff --git a/app/controllers/spree/admin/orders_controller.rb b/app/controllers/spree/admin/orders_controller.rb
index 6c76bdf3d9..286929728d 100644
--- a/app/controllers/spree/admin/orders_controller.rb
+++ b/app/controllers/spree/admin/orders_controller.rb
@@ -69,7 +69,7 @@ module Spree
         @order.send_cancellation_email = params[:send_cancellation_email] != "false"
         @order.restock_items = params.fetch(:restock_items, "true") == "true"
 
-        if @order.public_send(event.to_s)
+        if allowed_events.include?(event) && @order.public_send(event.to_s)
           AmendBackorderJob.perform_later(@order) if @order.completed?
           flash[:success] = Spree.t(:order_updated)
         else
@@ -198,6 +198,10 @@ module Spree
                         ocs.closed +
                         ocs.undated
       end
+
+      def allowed_events
+        %w{cancel resume}
+      end
     end
   end
 end
diff --git a/spec/controllers/spree/admin/orders_controller_spec.rb b/spec/controllers/spree/admin/orders_controller_spec.rb
index 6011c818db..dcb5b6dc68 100644
--- a/spec/controllers/spree/admin/orders_controller_spec.rb
+++ b/spec/controllers/spree/admin/orders_controller_spec.rb
@@ -294,4 +294,59 @@ RSpec.describe Spree::Admin::OrdersController, type: :controller do
       end
     end
   end
+
+  describe "#fire" do
+    let(:order) { create(:completed_order_with_totals) }
+
+    before do
+      controller_login_as_admin
+
+      allow(Spree::Order).to receive_message_chain(:includes, :find_by!).and_return(order)
+      @request.env['HTTP_REFERER'] = spree.edit_admin_order_path(order)
+    end
+
+    %w{cancel resume}.each do |event|
+      it "calls allowed event #{event}" do
+        expect(order).to receive(:public_send).with(event)
+
+        spree_get :fire, { id: order, e: event }
+
+        expect(response).to redirect_to spree.edit_admin_order_path(order)
+      end
+    end
+
+    it "returns a success flash message" do
+      spree_get :fire, { id: order, e: "cancel" }
+
+      expect(flash[:success]).to eq "Order Updated"
+    end
+
+    it "amends back order" do
+      expect(AmendBackorderJob).to receive(:perform_later)
+
+      spree_get :fire, { id: order, e: "cancel" }
+    end
+
+    context "with a non allowed event" do
+      it "returns an error" do
+        expect(order).not_to receive(:public_send).with("state")
+
+        spree_get :fire, { id: order, e: "state" }
+
+        expect(flash[:error]).to eq "Can not perform this operation"
+        expect(response).to redirect_to spree.edit_admin_order_path(order)
+      end
+    end
+
+    context "when a GatewayError is raised" do
+      it "returns an error flash message" do
+        allow(order).to receive(:public_send).and_raise(Spree::Core::GatewayError, "Some error")
+
+        spree_get :fire, { id: order, e: "cancel" }
+
+        expect(flash[:error]).to eq "Some error"
+        expect(response).to redirect_to spree.edit_admin_order_path(order)
+      end
+    end
+  end
 end