From d667d7e609736fcee2a0c9bb3870055519f825aa Mon Sep 17 00:00:00 2001 From: Giuseppe Criscione <18699708+giuscris@users.noreply.github.com> Date: Fri, 1 Nov 2024 19:13:06 +0100 Subject: [PATCH] Fix `UsersController::create()` and `PagesController::renameFIle()` not being validated --- .../src/Panel/Controllers/PagesController.php | 8 +++++- .../src/Panel/Controllers/UsersController.php | 28 +++++++++---------- panel/modals/newUser.yaml | 2 +- 3 files changed, 22 insertions(+), 16 deletions(-) diff --git a/formwork/src/Panel/Controllers/PagesController.php b/formwork/src/Panel/Controllers/PagesController.php index 089a5a98..3359fe6d 100644 --- a/formwork/src/Panel/Controllers/PagesController.php +++ b/formwork/src/Panel/Controllers/PagesController.php @@ -410,6 +410,12 @@ class PagesController extends AbstractController $page = $this->site->findPage($routeParams->get('page')); + $fields = $this->modal('renameFile')->fields(); + + $fields->setValues($this->request->input())->validate(); + + $data = $fields->everyItem()->value(); + if ($page === null) { $this->panel->notify($this->translate('panel.pages.page.cannotRenameFile.pageNotFound'), 'error'); return $this->redirectToReferer(default: $this->generateRoute('panel.pages'), base: $this->panel->panelRoot()); @@ -420,7 +426,7 @@ class PagesController extends AbstractController return $this->redirect($this->generateRoute('panel.pages.edit', ['page' => $routeParams->get('page')])); } - $name = Str::slug(FileSystem::name($this->request->input()->get('filename'))); + $name = Str::slug(FileSystem::name($data->get('filename'))); $extension = FileSystem::extension($routeParams->get('filename')); $newName = $name . '.' . $extension; diff --git a/formwork/src/Panel/Controllers/UsersController.php b/formwork/src/Panel/Controllers/UsersController.php index 7afc0c6c..e672426c 100644 --- a/formwork/src/Panel/Controllers/UsersController.php +++ b/formwork/src/Panel/Controllers/UsersController.php @@ -50,33 +50,33 @@ class UsersController extends AbstractController return $this->forward(ErrorsController::class, 'forbidden'); } - $requestData = $this->request->input(); - $fields = $this->modal('newUser')->fields(); // Ensure no required data is missing try { - $fields->setValues($requestData)->validate(); + $fields->setValues($this->request->input())->validate(); } catch (ValidationException) { $this->panel->notify($this->translate('panel.users.user.cannotCreate.varMissing'), 'error'); return $this->redirect($this->generateRoute('panel.users')); } + $data = $fields->everyItem()->value(); + + $username = $data->get('username'); + // Ensure there isn't a user with the same username - if ($this->site->users()->has($requestData->get('username'))) { + if ($this->site->users()->has($username)) { $this->panel->notify($this->translate('panel.users.user.cannotCreate.alreadyExists'), 'error'); return $this->redirect($this->generateRoute('panel.users')); } - $userData = [ - 'username' => $requestData->get('username'), - 'fullname' => $requestData->get('fullname'), - 'hash' => Password::hash($requestData->get('password')), - 'email' => $requestData->get('email'), - 'language' => $requestData->get('language'), - ]; - - Yaml::encodeToFile($userData, FileSystem::joinPaths($this->config->get('system.users.paths.accounts'), $requestData->get('username') . '.yaml')); + Yaml::encodeToFile([ + 'username' => $username, + 'fullname' => $data->get('fullname'), + 'hash' => Password::hash($data->get('password')), + 'email' => $data->get('email'), + 'language' => $data->get('language'), + ], FileSystem::joinPaths($this->config->get('system.users.paths.accounts'), $username . '.yaml')); $this->panel->notify($this->translate('panel.users.user.created'), 'success'); return $this->redirect($this->generateRoute('panel.users')); @@ -218,7 +218,7 @@ class UsersController extends AbstractController $path = FileSystem::joinPaths($this->config->get('system.users.paths.images'), $routeParams->get('image')); if (FileSystem::isFile($path)) { - return new FileResponse($path); + return new FileResponse($path, headers: ['Cache-Control' => 'max-age=31536000, private']); } throw new FileNotFoundException('Cannot find asset'); diff --git a/panel/modals/newUser.yaml b/panel/modals/newUser.yaml index 31f58485..526e0f33 100644 --- a/panel/modals/newUser.yaml +++ b/panel/modals/newUser.yaml @@ -1,6 +1,6 @@ title: '{{panel.users.newUser}}' -action: '/users/new/' +action: /users/new/ fields: fullname: