Fix UsersController::create() and PagesController::renameFIle() not being validated

formwork/src/Panel/Controllers/PagesController.php

@@ -410,6 +410,12 @@ class PagesController extends AbstractController
 
         $page = $this->site->findPage($routeParams->get('page'));
 
+        $fields = $this->modal('renameFile')->fields();
+
+        $fields->setValues($this->request->input())->validate();
+
+        $data = $fields->everyItem()->value();
+
         if ($page === null) {
             $this->panel->notify($this->translate('panel.pages.page.cannotRenameFile.pageNotFound'), 'error');
             return $this->redirectToReferer(default: $this->generateRoute('panel.pages'), base: $this->panel->panelRoot());
@@ -420,7 +426,7 @@ class PagesController extends AbstractController
             return $this->redirect($this->generateRoute('panel.pages.edit', ['page' => $routeParams->get('page')]));
         }
 
-        $name = Str::slug(FileSystem::name($this->request->input()->get('filename')));
+        $name = Str::slug(FileSystem::name($data->get('filename')));
         $extension = FileSystem::extension($routeParams->get('filename'));
 
         $newName = $name . '.' . $extension;

formwork/src/Panel/Controllers/UsersController.php

@@ -50,33 +50,33 @@ class UsersController extends AbstractController
             return $this->forward(ErrorsController::class, 'forbidden');
         }
 
-        $requestData = $this->request->input();
-
         $fields = $this->modal('newUser')->fields();
 
         // Ensure no required data is missing
         try {
-            $fields->setValues($requestData)->validate();
+            $fields->setValues($this->request->input())->validate();
         } catch (ValidationException) {
             $this->panel->notify($this->translate('panel.users.user.cannotCreate.varMissing'), 'error');
             return $this->redirect($this->generateRoute('panel.users'));
         }
 
+        $data = $fields->everyItem()->value();
+
+        $username = $data->get('username');
+
         // Ensure there isn't a user with the same username
-        if ($this->site->users()->has($requestData->get('username'))) {
+        if ($this->site->users()->has($username)) {
             $this->panel->notify($this->translate('panel.users.user.cannotCreate.alreadyExists'), 'error');
             return $this->redirect($this->generateRoute('panel.users'));
         }
 
-        $userData = [
+        Yaml::encodeToFile([
-            'username' => $requestData->get('username'),
+            'username' => $username,
-            'fullname' => $requestData->get('fullname'),
+            'fullname' => $data->get('fullname'),
-            'hash'     => Password::hash($requestData->get('password')),
+            'hash'     => Password::hash($data->get('password')),
-            'email'    => $requestData->get('email'),
+            'email'    => $data->get('email'),
-            'language' => $requestData->get('language'),
+            'language' => $data->get('language'),
-        ];
+        ], FileSystem::joinPaths($this->config->get('system.users.paths.accounts'), $username . '.yaml'));
-
-        Yaml::encodeToFile($userData, FileSystem::joinPaths($this->config->get('system.users.paths.accounts'), $requestData->get('username') . '.yaml'));
 
         $this->panel->notify($this->translate('panel.users.user.created'), 'success');
         return $this->redirect($this->generateRoute('panel.users'));
@@ -218,7 +218,7 @@ class UsersController extends AbstractController
         $path = FileSystem::joinPaths($this->config->get('system.users.paths.images'), $routeParams->get('image'));
 
         if (FileSystem::isFile($path)) {
-            return new FileResponse($path);
+            return new FileResponse($path, headers: ['Cache-Control' => 'max-age=31536000, private']);
         }
 
         throw new FileNotFoundException('Cannot find asset');

panel/modals/newUser.yaml

@@ -1,6 +1,6 @@
 title: '{{panel.users.newUser}}'
 
-action: '/users/new/'
+action: /users/new/
 
 fields:
     fullname: