Make checkout controller handle strong parameters

app/controllers/checkout_controller.rb

@@ -43,7 +43,7 @@ class CheckoutController < Spree::StoreController
 
   def update
     params_adapter = Checkout::FormDataAdapter.new(params, @order, spree_current_user)
-    return update_failed unless @order.update_attributes(params_adapter.order_params)
+    return update_failed unless @order.update_attributes(order_params(params_adapter.params))
 
     fire_event('spree.checkout.update')
 
@@ -237,4 +237,21 @@ class CheckoutController < Spree::StoreController
       end
     end
   end
+
+  def order_params(params)
+    params.require(:order).permit(
+      :email, :special_instructions,
+      payments_attributes:
+        [
+          :payment_method_id, :amount,
+          source_attributes: [
+            :gateway_payment_profile_id, :cc_type, :last_digits,
+            :month, :year, :first_name, :last_name,
+            :number, :verification_value
+          ]
+        ],
+      bill_address_attributes: permitted_address_attributes,
+      ship_address_attributes: permitted_address_attributes
+    )
+  end
 end

app/services/checkout/form_data_adapter.rb

@@ -3,7 +3,7 @@
 # Adapts checkout form data (params) so that the order can be directly saved to the database
 module Checkout
   class FormDataAdapter
-    attr_reader :shipping_method_id
+    attr_reader :params, :shipping_method_id
 
     def initialize(params, order, current_user)
       @params = params.dup
@@ -19,10 +19,6 @@ module Checkout
       @shipping_method_id = @params[:order].delete(:shipping_method_id)
     end
 
-    def order_params
-      @params[:order]
-    end
-
     private
 
     # For payment step, filter order parameters to produce the expected

spec/services/checkout/form_data_adapter_spec.rb

@@ -3,7 +3,7 @@
 require 'spec_helper'
 
 describe Checkout::FormDataAdapter do
-  describe '#order_params' do
+  describe '#params' do
     let(:params) { { order: { order_id: "123" } } }
     let(:order) { create(:order) }
     let(:user) { create(:user) }
@@ -11,9 +11,7 @@ describe Checkout::FormDataAdapter do
     let(:adapter) { Checkout::FormDataAdapter.new(params, order, user) }
 
     it "returns the :order item in the params provided" do
-      order_params = adapter.order_params
-
-      expect(order_params).to eq params[:order]
+      expect(adapter.params[:order]).to eq params[:order]
     end
 
     describe "when payment_attributes are provided" do
@@ -25,9 +23,7 @@ describe Checkout::FormDataAdapter do
         before { params[:payment_source] = { "123" => source_attributes } }
 
         it "moves payment source attributes to the order payment attributes" do
-          order_params = adapter.order_params
-
-          expect(order_params[:payments_attributes].
+          expect(adapter.params[:order][:payments_attributes].
                    first[:source_attributes]).to eq source_attributes
         end
       end
@@ -36,9 +32,7 @@ describe Checkout::FormDataAdapter do
         before { order.total = "50.0" }
 
         it "sets the payment attributes amount to the order total" do
-          order_params = adapter.order_params
-
-          expect(order_params[:payments_attributes].first[:amount]).to eq order.total
+          expect(adapter.params[:order][:payments_attributes].first[:amount]).to eq order.total
         end
       end
 
@@ -51,10 +45,8 @@ describe Checkout::FormDataAdapter do
           before { params[:order][:existing_card_id] = credit_card.id }
 
           it "adds card details to payment attributes" do
-            order_params = adapter.order_params
-
-            expect(order_params[:payments_attributes].first[:source][:id]).to eq credit_card.id
-            expect(order_params[:payments_attributes].
+            expect(adapter.params[:order][:payments_attributes].first[:source][:id]).to eq credit_card.id
+            expect(adapter.params[:order][:payments_attributes].
                      first[:source][:last_digits]).to eq credit_card.last_digits
           end
         end
@@ -63,7 +55,7 @@ describe Checkout::FormDataAdapter do
           let(:credit_card) { create(:credit_card) }
 
           it "raises exception if credit card provided doesnt belong to the current user" do
-            expect { adapter.order_params }.to raise_error Spree::Core::GatewayError
+            expect { adapter.params[:order] }.to raise_error Spree::Core::GatewayError
           end
         end
       end