diff --git a/app/controllers/admin/customers_controller.rb b/app/controllers/admin/customers_controller.rb
index 9941829d2b..d4cf9b15fe 100644
--- a/app/controllers/admin/customers_controller.rb
+++ b/app/controllers/admin/customers_controller.rb
@@ -28,7 +28,7 @@ module Admin
     end
 
     def create
-      @customer = Customer.new(params[:customer])
+      @customer = Customer.new(customer_params)
       if user_can_create_customer?
         if @customer.save
           tag_rule_mapping = TagRule.mapping_for(Enterprise.where(id: @customer.enterprise))
@@ -80,5 +80,18 @@ module Admin
     def ams_prefix_whitelist
       [:subscription]
     end
+
+    def customer_params
+      params.require(:customer).permit(
+        :enterprise_id, :name, :email, :code, :tag_list,
+        ship_address_attributes: PermittedAttributes::Address.attributes,
+        bill_address_attributes: PermittedAttributes::Address.attributes,
+      )
+    end
+
+    # Used in ResourceController#update
+    def permitted_resource_params
+      customer_params
+    end
   end
 end
diff --git a/app/controllers/admin/enterprise_groups_controller.rb b/app/controllers/admin/enterprise_groups_controller.rb
index 4494a7927a..5483cdd45e 100644
--- a/app/controllers/admin/enterprise_groups_controller.rb
+++ b/app/controllers/admin/enterprise_groups_controller.rb
@@ -55,5 +55,13 @@ module Admin
     def collection
       EnterpriseGroup.by_position
     end
+
+    def permitted_resource_params
+      params.require(:enterprise_group).permit(
+        :name, :description, :long_description, :on_front_page, :owner_id, :permalink,
+        :email, :website, :facebook, :instagram, :linkedin, :twitter,
+        enterprise_ids: [], address_attributes: PermittedAttributes::Address.attributes
+      )
+    end
   end
 end
diff --git a/app/controllers/admin/enterprise_roles_controller.rb b/app/controllers/admin/enterprise_roles_controller.rb
index 98810e2a64..299292238e 100644
--- a/app/controllers/admin/enterprise_roles_controller.rb
+++ b/app/controllers/admin/enterprise_roles_controller.rb
@@ -7,7 +7,7 @@ module Admin
     end
 
     def create
-      @enterprise_role = EnterpriseRole.new params[:enterprise_role]
+      @enterprise_role = EnterpriseRole.new enterprise_role_params
 
       if @enterprise_role.save
         render text: Api::Admin::EnterpriseRoleSerializer.new(@enterprise_role).to_json
@@ -22,5 +22,11 @@ module Admin
       @enterprise_role.destroy
       render nothing: true
     end
+
+    private
+
+    def enterprise_role_params
+      params.require(:enterprise_role).permit(:user_id, :enterprise_id)
+    end
   end
 end
diff --git a/app/controllers/admin/enterprises_controller.rb b/app/controllers/admin/enterprises_controller.rb
index cf95180818..6198497e98 100644
--- a/app/controllers/admin/enterprises_controller.rb
+++ b/app/controllers/admin/enterprises_controller.rb
@@ -41,7 +41,7 @@ module Admin
       tag_rules_attributes = params[object_name].delete :tag_rules_attributes
       update_tag_rules(tag_rules_attributes) if tag_rules_attributes.present?
       update_enterprise_notifications
-      if @object.update_attributes(params[object_name])
+      if @object.update_attributes(enterprise_params)
         invoke_callbacks(:update, :after)
         flash[:success] = flash_message_for(@object, :successfully_updated)
         respond_with(@object) do |format|
@@ -244,7 +244,7 @@ module Admin
     def override_sells
       unless spree_current_user.admin?
         has_hub = spree_current_user.owned_enterprises.is_hub.any?
-        new_enterprise_is_producer = Enterprise.new(params[:enterprise]).is_primary_producer
+        new_enterprise_is_producer = Enterprise.new(enterprise_params).is_primary_producer
         params[:enterprise][:sells] = has_hub && !new_enterprise_is_producer ? 'any' : 'none'
       end
     end
@@ -303,5 +303,14 @@ module Admin
     def ams_prefix_whitelist
       [:index, :basic]
     end
+
+    def enterprise_params
+      PermittedAttributes::Enterprise.new(params).call
+    end
+
+    # Used in ResourceController#create
+    def permitted_resource_params
+      enterprise_params
+    end
   end
 end
diff --git a/app/controllers/spree/admin/orders/customer_details_controller.rb b/app/controllers/spree/admin/orders/customer_details_controller.rb
index e7bb5bf366..7503e42833 100644
--- a/app/controllers/spree/admin/orders/customer_details_controller.rb
+++ b/app/controllers/spree/admin/orders/customer_details_controller.rb
@@ -18,7 +18,7 @@ module Spree
         end
 
         def update
-          if @order.update_attributes(params[:order])
+          if @order.update_attributes(order_params)
             if params[:guest_checkout] == "false"
               @order.associate_user!(Spree.user_class.find_by(email: @order.email))
             end
@@ -41,6 +41,15 @@ module Spree
 
         private
 
+        def order_params
+          params.require(:order).permit(
+            :email,
+            :use_billing,
+            bill_address_attributes: ::PermittedAttributes::Address.attributes,
+            ship_address_attributes: ::PermittedAttributes::Address.attributes
+          )
+        end
+
         def load_order
           @order = Order.find_by_number!(params[:order_id], include: :adjustments)
         end
diff --git a/app/services/permitted_attributes/address.rb b/app/services/permitted_attributes/address.rb
index 4fd7908297..4c7a538caf 100644
--- a/app/services/permitted_attributes/address.rb
+++ b/app/services/permitted_attributes/address.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module PermittedAttributes
   class Address
     def self.attributes
diff --git a/app/services/permitted_attributes/enterprise.rb b/app/services/permitted_attributes/enterprise.rb
new file mode 100644
index 0000000000..f02863b2a5
--- /dev/null
+++ b/app/services/permitted_attributes/enterprise.rb
@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module PermittedAttributes
+  class Enterprise
+    def initialize(params)
+      @params = params
+    end
+
+    def call
+      return @params[:enterprise] if @params[:enterprise].empty?
+
+      @params.require(:enterprise).permit(
+        basic_permitted_attributes + [
+          group_ids: [], user_ids: [],
+          shipping_method_ids: [], payment_method_ids: [],
+          address_attributes: PermittedAttributes::Address.attributes,
+          producer_properties_attributes: [:id, :property_name, :value, :_destroy]
+        ]
+      )
+    end
+
+    private
+
+    def basic_permitted_attributes
+      [
+        :id, :name, :visible, :permalink, :owner_id, :contact_name, :email_address, :phone,
+        :is_primary_producer, :sells, :website, :facebook, :instagram, :linkedin, :twitter,
+        :description, :long_description, :logo, :promo_image,
+        :allow_guest_orders, :allow_order_changes, :require_login, :enable_subscriptions,
+        :abn, :acn, :charges_sales_tax, :display_invoice_logo, :invoice_text,
+        :preferred_product_selection_from_inventory_only, :preferred_shopfront_message,
+        :preferred_shopfront_closed_message, :preferred_shopfront_taxon_order,
+        :preferred_shopfront_order_cycle_order
+      ]
+    end
+  end
+end