From eef1574ebebb8b0481c456335505b5dccfb34023 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Wed, 26 Feb 2020 18:03:19 +0100
Subject: [PATCH] Call #permit on params object in before_filter

---
 app/controllers/spree/paypal_controller_decorator.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/controllers/spree/paypal_controller_decorator.rb b/app/controllers/spree/paypal_controller_decorator.rb
index 1512299198..c6bbbd744d 100644
--- a/app/controllers/spree/paypal_controller_decorator.rb
+++ b/app/controllers/spree/paypal_controller_decorator.rb
@@ -2,6 +2,7 @@ Spree::PaypalController.class_eval do
   before_filter :enable_embedded_shopfront
   before_filter :destroy_orphaned_paypal_payments, only: :confirm
   after_filter :reset_order_when_complete, only: :confirm
+  before_filter :permit_parameters!
 
   def cancel
     flash[:notice] = Spree.t('flash.cancel', scope: 'paypal')
@@ -18,6 +19,10 @@ Spree::PaypalController.class_eval do
 
   private
 
+  def permit_parameters!
+    params.permit(:token, :payment_method_id, :PayerID)
+  end
+
   def reset_order_when_complete
     if current_order.complete?
       flash[:notice] = t(:order_processed_successfully)