[REFACTOR] Ensure user_pass not included in export.

Although user_pass would have been hashed, it still made little to no sense including it in the export. A common use case is to export from one environment to impose on to another and if not careful this would include the hashed password as the users password and thus set as the password (it would get re-hashed of course). Storing passwords in text files is generally frowned upon, so make sure we don't incldue it in the export.
boxuk · Apr 8, 2021 · 0ff11dc · 0ff11dc
1 parent 8b45810
commit 0ff11dc
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/features/users.feature b/features/users.feature
@@ -28,6 +28,16 @@ Feature: Site / Network Users Region
       | Admin One      | adminone@example.com  | administrator     |
       | Editor One     | editorone@example.com | editor            |
 
+    When I run `wp dictator export site export.yml`
+    Then STDOUT should contain:
+    """
+    Success: State written to file.
+    """
+    And the export.yml file should not contain:
+    """
+    user_pass:
+    """
+
   Scenario: Impose Network Users
       Given a WP multisite install
       And a network-users.yml file:
@@ -50,3 +60,13 @@ Feature: Site / Network Users Region
         | display_name   | user_email            |
         | Admin One      | adminone@example.com  |
         | Editor One     | editorone@example.com |
+
+      When I run `wp dictator export network export.yml`
+      Then STDOUT should contain:
+      """
+      Success: State written to file.
+      """
+      And the export.yml file should not contain:
+      """
+      user_pass:
+      """
diff --git a/php/regions/class-users.php b/php/regions/class-users.php
@@ -35,11 +35,6 @@ abstract class Users extends Region {
 					'_required'     => false,
 					'_get_callback' => 'get_user_value',
 				),
-				'user_pass'    => array(
-					'_type'         => 'text',
-					'_required'     => false,
-					'_get_callback' => 'get_user_value',
-				),
 				'role'         => array(
 					'_type'         => 'text',
 					'_required'     => false,
@@ -149,7 +144,7 @@ public function impose( $key, $value ) {
 			$user_obj = array(
 				'user_login' => $key,
 				'user_email' => $value['email'], // 'email' is required.
-				'user_pass'  => isset( $value['user_pass'] ) ? $value['user_pass'] : wp_generate_password( 24 ), // if no password supplied, generate random password.
+				'user_pass'  => wp_generate_password( 24 ),
 			);
 			$user_id  = wp_insert_user( $user_obj );
 			if ( is_wp_error( $user_id ) ) {