From a9a92e11e2378e1cfd7436398132fa61ff897db0 Mon Sep 17 00:00:00 2001
From: Luis Ramos <luisramos0@gmail.com>
Date: Sat, 22 Feb 2020 17:41:45 +0000
Subject: [PATCH] Bring some strong parameters code from spree to our Spree
 controllers

This code comes from spree commit https://github.com/openfoodfoundation/spree/commit/fbc2d150f640399d73baab5295416da7131b95e7
---
 .../spree/admin/orders/customer_details_controller.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/controllers/spree/admin/orders/customer_details_controller.rb b/app/controllers/spree/admin/orders/customer_details_controller.rb
index e7bb5bf366..989e73fa46 100644
--- a/app/controllers/spree/admin/orders/customer_details_controller.rb
+++ b/app/controllers/spree/admin/orders/customer_details_controller.rb
@@ -18,7 +18,7 @@ module Spree
         end
 
         def update
-          if @order.update_attributes(params[:order])
+          if @order.update_attributes(order_params)
             if params[:guest_checkout] == "false"
               @order.associate_user!(Spree.user_class.find_by(email: @order.email))
             end
@@ -41,6 +41,15 @@ module Spree
 
         private
 
+        def order_params
+          params.require(:order).permit(
+            :email,
+            :use_billing,
+            :bill_address_attributes => permitted_address_attributes,
+            :ship_address_attributes => permitted_address_attributes
+          )
+        end
+
         def load_order
           @order = Order.find_by_number!(params[:order_id], include: :adjustments)
         end