diff --git a/app/controllers/spree/admin/users_controller.rb b/app/controllers/spree/admin/users_controller.rb
index 6d8337a5ce..d5525936a3 100644
--- a/app/controllers/spree/admin/users_controller.rb
+++ b/app/controllers/spree/admin/users_controller.rb
@@ -138,7 +138,7 @@ module Spree
       end
 
       def user_params
-        params.require(:user).permit(:email, :enterprise_limit, :password, :password_confirmation)
+        PermittedAttributes::User.new(params).call([:enterprise_limit])
       end
     end
   end
diff --git a/app/controllers/spree/users_controller.rb b/app/controllers/spree/users_controller.rb
index 99b7fa73de..03aced66c8 100644
--- a/app/controllers/spree/users_controller.rb
+++ b/app/controllers/spree/users_controller.rb
@@ -72,7 +72,7 @@ module Spree
     end
 
     def user_params
-      params.require(:user).permit(:email, :password, :password_confirmation)
+      ::PermittedAttributes::User.new(params).call
     end
   end
 end
diff --git a/app/controllers/user_registrations_controller.rb b/app/controllers/user_registrations_controller.rb
index 0482fc39c7..2e9870b37e 100644
--- a/app/controllers/user_registrations_controller.rb
+++ b/app/controllers/user_registrations_controller.rb
@@ -35,8 +35,7 @@ class UserRegistrationsController < Spree::UserRegistrationsController
   def spree_user_params
     return params[:spree_user] if params[:spree_user].empty?
 
-    params.require(:spree_user).
-      permit(:email, :password, :password_confirmation, :remember_me)
+    PermittedAttributes::User.new(params, :spree_user).call([:remember_me])
   end
 
   def render_error(errors = {})
diff --git a/app/services/permitted_attributes/user.rb b/app/services/permitted_attributes/user.rb
new file mode 100644
index 0000000000..4efbf0e3b5
--- /dev/null
+++ b/app/services/permitted_attributes/user.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module PermittedAttributes
+  class User
+    def initialize(params, resource_name = :user)
+      @params = params
+      @resource_name = resource_name
+    end
+
+    def call(extra_permitted_attributes = [])
+      @params.require(@resource_name).
+        permit(permitted_attributes + extra_permitted_attributes)
+    end
+
+    private
+
+    def permitted_attributes
+      [:email, :password, :password_confirmation]
+    end
+  end
+end