diff --git a/app/controllers/spree/admin/users_controller.rb b/app/controllers/spree/admin/users_controller.rb
index a1db20605c..6d8337a5ce 100644
--- a/app/controllers/spree/admin/users_controller.rb
+++ b/app/controllers/spree/admin/users_controller.rb
@@ -22,7 +22,7 @@ module Spree
           roles = params[:user].delete("spree_role_ids")
         end
 
-        @user = Spree::User.new(params[:user])
+        @user = Spree::User.new(user_params)
         if @user.save
 
           if roles
@@ -41,7 +41,7 @@ module Spree
           roles = params[:user].delete("spree_role_ids")
         end
 
-        if @user.update_attributes(params[:user])
+        if @user.update_attributes(user_params)
           if roles
             @user.spree_roles = roles.reject(&:blank?).collect{ |r| Spree::Role.find(r) }
           end
@@ -136,6 +136,10 @@ module Spree
       def new_email_unconfirmed?
         params[:user][:email] != @user.email
       end
+
+      def user_params
+        params.require(:user).permit(:email, :enterprise_limit, :password, :password_confirmation)
+      end
     end
   end
 end