Bulk create users group_work

Highlights

• Major security hardening of the bulk user import flow: privilege-escalation guards, sensitive-property blocklist, upload-size enforcement, and per-row commit isolation so a single malformed row no longer poisons an entire batch.
• Full WCAG 2.1 AA accessibility pass on the admin UI (contrast, labeling, aria-live, focus styling).
• Backend quality refactor to fit SonarQube limits (cognitive complexity, lazy logging, narrowed exception scope) — no behavior change.
• Toolchain modernization: ESLint v8, Dependabot enabled, yarn PnP artifacts removed, CVE fixes pulled in via resolutions.

Features

• Restrictive default for selectedColumns (7dca079): when omitted/empty, only required user properties are written; optional CSV columns now require explicit opt-in. The groups column remains special-cased and honored whenever present in the CSV header.

Fixes

Security (b662a28, 7dca079)

• Refuse adding users to privileged groups (administrators, server-/root-/site-/system-administrators, compliance-managers, etc.).
• Reject writes to sensitive user properties (jcr:*, j:rolesIn*, j:account*, j:external*, j:password, j:roles, j:permissions, ...).
• Enforce server-side upload size limit on csvContent via SettingsBean.getJahiaFileUploadMaxSize().
• Case-insensitive root protection based on the resolved JCR name rather than the raw CSV value.
• Bounds-check row length to prevent malformed CSV rows from aborting the import.
• Sanitize CRLF/tabs and truncate attacker-controlled values written to logs.
• Stop leaking JCR exception messages to GraphQL clients (generic error returned; details kept server-side).
• Per-row commit isolation with refresh(false) on failure to avoid staged partial mutations leaking across rows.

Accessibility (070bb00, 57ec71c, 62646b, ac0f4db, 957a1f1, 7462850, 9588568)

• Resolve WCAG 2.1 AA audit issues in the admin UI (multiple passes).
• AAA contrast fixes; submit-button contrast and file-input labeling fixed.
• Hide empty result box visually while keeping the aria-live region in the DOM.
• Hide bcu-missing-required styling when no fields are actually missing.

Dependencies / CVE

• 7a228f4 — Upgrade systeminformation 5.31.5 → 5.31.6 via resolution (CVE).
• 7e75def — Upgrade @babel/plugin-transform-modules-systemjs (Dependabot alert).
• c7a685c — Add Dependabot configuration.

Refactoring

• 0f0a0b2 — backend quality refactor: split the monolithic UsersHandler.processUser / addUserToGroups paths into focused helpers; bundle per-import state into immutable carriers (ImportRequest, CsvLayout, RowContext) to keep parameter counts and cognitive complexity inside SonarQube limits. Added lazy() wrapper around sanitizeForLog (rule S2629). Narrowed the import-level catch to IOException (rule S112). No behavior change.
• 0912cec — style: simplify bcu_columnFieldset to keep only border-bottom.

Tests

• 86b2c1d — Cypress selector fix: select the file input by name attribute (input[name="csvFile"]) so tests stay aligned with the a11y refactor that restructured the file-input markup; resilient to future label/id changes.
• 7dca079 — Cypress coverage for the new restrictive selectedColumns default and for row-level isolation of malformed rows.
• Additional adjustments across 02-bulkCreateUsersUI-Layout.cy.ts, 03-bulkCreateUsersUI-Import.cy.ts, 04-bulkCreateUsersUI-ColumnSelection.cy.ts.

Tooling / Build

• cc2343e — Upgrade ESLint to v8 and @jahia/eslint-config to v2.2.0 (flatten config).
• a78af1a — Clean up yarn PnP files (.pnp.cjs, .pnp.loader.mjs removed at both root and tests/).
• c23b197 — Rename CLAUDE.md to AGENTS.md and add a CLAUDE.md reference pointer.

Full Changelog: 2_0_0...2_0_1

CSV Format

Required columns

Optional columns

The UI displays all optional columns detected in the CSV header and lets you toggle each one before importing. Unselected columns are ignored by the backend.

Delimiter

The default delimiter is ,. Any single character is accepted (e.g. ;, |). Set it in the UI before uploading.

Example

j:nodename,j:password,j:firstName,j:lastName,j:email,groups
alice,Secret1234!,Alice,Smith,alice@example.com,[editors],[privileged]
bob,Secret1234!,Bob,Jones,bob@example.com,[editors]

GraphQL API

Query

query {
  bulkCreateUsersMaxUploadSize   # returns the configured max size in bytes
}

Mutation

mutation {
  bulkCreateUsersImport(
    csvContent: "...",
    separator: ",",
    siteKey: "mySite",          # omit for global users
    selectedColumns: ["j:firstName", "j:lastName", "j:email", "groups"]
  ) {
    success
    createdCount
    skippedCount
    errorCount
    errors
  }
}

Both operations require the adminUsers permission.

Requirements

• Jahia 8.2.1.0 or later
• Module dependencies: default, graphql-dxm-provider

Installation

Deploy the module on your Jahia environment. The Bulk Create Users option becomes available under Administration → [site] → Settings → Bulk Create Users.

MIT License

Copyright (c) 2022 - present Jahia

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.