From d0bd2818c22f2c203d4e97af78f170f194061606 Mon Sep 17 00:00:00 2001
From: Luis Ramos <luisramos0@gmail.com>
Date: Sun, 23 Feb 2020 17:34:39 +0000
Subject: [PATCH] Handle strong params on users_controller

---
 app/controllers/spree/users_controller.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/spree/users_controller.rb b/app/controllers/spree/users_controller.rb
index c620136a94..99b7fa73de 100644
--- a/app/controllers/spree/users_controller.rb
+++ b/app/controllers/spree/users_controller.rb
@@ -25,7 +25,7 @@ module Spree
     end
 
     def create
-      @user = Spree::User.new(params[:user])
+      @user = Spree::User.new(user_params)
       if @user.save
 
         if current_order
@@ -39,7 +39,7 @@ module Spree
     end
 
     def update
-      if @user.update_attributes(params[:user])
+      if @user.update_attributes(user_params)
         if params[:user][:password].present?
           # this logic needed b/c devise wants to log us out after password changes
           Spree::User.reset_password_by_token(params[:user])
@@ -70,5 +70,9 @@ module Spree
     def accurate_title
       Spree.t(:my_account)
     end
+
+    def user_params
+      params.require(:user).permit(:email, :password, :password_confirmation)
+    end
   end
 end