Refine password element for user import (and possibly export)

[asmecher]

Currently there's no way to import users specifying plain-text passwords.

lib/pkp/plugins/importexport/users/pkp-users.xsd specifies an encryption attribute, but lib/pkp/plugins/importexport/users/filter/UserXmlPKPUserFilter.inc.php doesn't refer to it.

Refine the password element (and attributes) to allow clearer import/export of password data, including plain-text password imports.

[asmecher]

This is related to #3261, so assigning to you, @defstat. No milestone assigned yet.

[defstat]

@asmecher
The user export function exports a password hash and its encryption (as given in config.inc.php)
The user import function seems to set the user password as given from the exported xml hashed password (indeed not taking into account the encryption algorithm).

I suppose that the first thing here is to check on import the password_needs_rehash for the db hash.

• If false, the password hash can be inserted in the user row
• If true, we could create a reset-password-hash, and add the user as if the user asked for a password reset. (not sure if that's a "valid" approach)

@asmecher Is there a case where the user can specify a plain-text password (in OJS)? Or you are referring to an XML that is not produced from export process? If yes we can omit the encryption attribute from XML, and then follow the target's (import OJS) encrypt process on the plain-password text.

Any thoughts on these?

[asmecher]

The use case for plain-text imports is when creating content for OJS from another system. What you're proposing makes sense.

[defstat]

@asmecher
I prepared a PR that adds the following to the import process

• Plain-text password import: If the imported XML element does not define an encryption attribute, then the function encrypts the value of the element, supposing that its a plain-text password. (No checks are performed - for example - for the length of the password.)
• Import of passwords that the password_needs_rehash return true: a new random password is being created and the proper email is being send to the imported user (as if the user is being registered with a random password). The change_password switch is turned on for this user.
• Import of passwords that the password_needs_rehash return false: The password is just imported to the user as-is.

PR
pkp-lib: #3494

[defstat]

@asmecher
Some review changes to pkp-lib and changes to OMP and OJS master branch
PRs
pkp-lib: #3494
ojs: pkp/ojs#1954
omp: pkp/omp#529

[asmecher]

Thanks, @defstat, just one remaining comment!

[defstat]

@asmecher Everything merged

[asmecher]

Thanks, @defstat! Closing this issue.

[defstat]

Reopened to check:
https://forum.pkp.sfu.ca/t/notify-users-on-user-import-through-users-xml-plugin-import

[NateWr]

@defstat if this is still a problem, can you file a new issue for it? Then we can scheduled it against a future milestone.