Dt Import CSV

[corsacca]

Enhanced Features in Theme Import Tool

Document Purpose: This document outlines the new features and significant improvements in the theme-based import tool that were not present or were limited in the original plugin version.

Major New Features

1. Server-Side Processing Architecture

What's New: Complete shift from client-side to server-side processing

• Security Enhancement: All processing happens server-side, no sensitive data in browser
• Reliability: Not susceptible to browser crashes or network interruptions
• Performance: Better handling of large files and memory management
• Resource Control: Server-side resource management and optimization

Original Plugin: Heavy reliance on client-side JavaScript for processing imports

2. Persistent Session Management with dt_reports Table

What's New: Uses dt_reports table instead of WordPress transients

• Session Recovery: Can resume interrupted imports after server restarts
• Data Persistence: Import settings survive longer than transient expiration times
• Structured Storage: Proper database storage with indexing and relationships
• Concurrent Sessions: Better handling of multiple simultaneous import sessions

Original Plugin: Used WordPress transients which expire and don't survive server restarts

3. Inline Field and Option Creation

What's New: Create new fields and field options directly within the mapping interface

• Field Creation: Create new custom fields on-the-fly during the mapping process
• Option Creation: Add new field options (like source values) directly in the mapping UI
• Real-time Workflow: No need to leave the import process to create missing fields or options
• Seamless Integration: New fields and options are immediately available for mapping

Original Plugin: Required pre-existing fields and options, no ability to create them during import

4. Name-Based Connection and User Field Handling

What's New: Handle connection fields and user assignments using names instead of requiring IDs

• Connection Fields: Import connections using readable names (e.g., "John Smith") instead of database IDs
  • Will create new records if the named connection doesn't exist
• User Assignment: Map users by display name (e.g., "assigned_to: Jane Doe") instead of user IDs
  • Only maps to existing users, no new users are created
• Natural CSV Structure: Matches how users naturally structure CSV exports from other systems
• Intelligent Handling: Different behavior for connections (create if missing) vs users (existing only)
• Intuitive Workflow: No need to look up or maintain ID mappings for connections or user assignments

Original Plugin: Required database IDs for connection fields and user assignments, making CSV preparation complex

5. Enhanced User Interface and Documentation

What's New: Comprehensive UI improvements and user guidance system

• Intuitive Interface: Modern, clean design with clear step-by-step workflow
• Built-in Documentation: Contextual help and guidance integrated directly into the import interface
• Practical Examples: Real CSV examples and templates showing proper formatting
• Visual Feedback: Clear progress indicators, validation messages, and error handling
• Interactive Guidance: Tooltips, help text, and inline examples throughout the process
• User-Friendly Messaging: Clear, non-technical language explaining each step and requirement
• Template Downloads: Sample CSV files users can download and modify for their imports

Original Plugin: Basic interface with minimal guidance, requiring external documentation

Conclusion

The theme import tool maintains full feature parity with the original plugin while introducing five major new features:

1. Server-Side Processing: Complete elimination of client-side processing vulnerabilities and limitations
2. Persistent Session Management: Reliable import session handling that survives server restarts
3. Inline Field and Option Creation: Create new fields and field options directly within the mapping interface
4. Name-Based Connection and User Field Handling: Handle connection fields and user assignments using names instead of requiring IDs
5. Enhanced User Interface and Documentation: Comprehensive UI improvements with built-in guidance and examples

These changes represent a fundamental architectural shift and enhanced workflow capabilities that improve security, reliability, performance, and user experience while maintaining all the functionality users expect from the original plugin.

[openhands-ai]

Looks like there are a few issues preventing this PR from being merged!

• GitHub Actions are failing:
  • Tests

If you'd like me to help, just leave a comment, like

@OpenHands please fix the failing actions on PR #2694

Feel free to include any additional details that might help me get this PR into a better state.

_{^{You can manage your notification settings}}

[corsacca]

@OpenHands please fix the failing actions on PR #2694

[openhands-ai]

Uh oh! There was an unexpected error starting the job :(

[corsacca]

Fix progress numbers on mobile.

[corsacca]

Thanks for the review @squigglybob, i think i've addressed the UI fixes

[squigglybob]

No worries, your location field types commit may have fixed this other thing, but I was testing the documentation, by putting in all those different location types, and the lng,lat, and degrees, and grid_id ones all worked fine. The address ones didn't work, but I think that may be because I don't have a mapbox key locally

[kodinkat]

@corsacca this is Excellent! Both the flow & new look & feel are great improvements! Good work!

Both Claude and I have now had a chance to review code and our findings (Claude's mostly ;-) captured below, across a number of comment blocks.

[kodinkat]

🎯 Overall Assessment

This is a well-architected implementation with comprehensive functionality and good security practices. The code demonstrates excellent feature parity with the existing plugin and includes several improvements. Ready for production with a few critical fixes.

🔒 Security Analysis - GOOD

✅ Strong Security Measures

• Proper permission checks on all REST endpoints (manage_dt capability)
• No direct superglobal usage
• Comprehensive file upload validation (MIME type, extension, size limits)
• Protected file storage with .htaccess denial
• Extensive input sanitization throughout
• XSS protection with proper HTML escaping

⚠️ Minor Security Concern

• External CDN dependency in dt-import/admin/dt-import-admin-tab.php:64-65: Consider self-hosting Toastify instead of CDN.

[kodinkat]

🐛 Critical Issues Requiring Fixes

1. Database Query Security - HIGH PRIORITY

File: dt-import/dt-import.php:98-103

// ISSUE: Table name not properly escaped
$old_sessions = $wpdb->get_results($wpdb->prepare(
    "SELECT payload FROM $wpdb->dt_reports 
     WHERE type = 'import_session' 
     AND timestamp < %d",
    strtotime( '-24 hours' )
), ARRAY_A);

// FIX: Use proper table name escaping
$old_sessions = $wpdb->get_results($wpdb->prepare(
    "SELECT payload FROM {$wpdb->prefix}dt_reports 
     WHERE type = 'import_session' 
     AND timestamp < %d",
    strtotime( '-24 hours' )
), ARRAY_A);

Also apply this fix to line 110-115 in the same file.

2. Session Ownership Validation - HIGH PRIORITY

File: dt-import/admin/rest-endpoints.php:737

// ISSUE: No validation that session belongs to current user
private function get_import_session( $session_id, $load_csv_data = true ) {

// FIX: Add user ownership validation
private function get_import_session( $session_id, $load_csv_data = true ) {
    global $wpdb;
    $session = $wpdb->get_row($wpdb->prepare(
        "SELECT * FROM {$wpdb->prefix}dt_reports 
         WHERE id = %d AND user_id = %d AND type = 'import_session'",
        $session_id, get_current_user_id()
    ));
    if (!$session) {
        return false;
    }
    // Continue with existing logic...
}

[kodinkat]

🔧 Recommended Improvements

3. File Path Security Enhancement - MEDIUM PRIORITY

File: dt-import/includes/dt-import-utilities.php:119-120

// ADD: Path traversal protection
$filename = 'import_' . uniqid() . '_' . sanitize_file_name( $file_data['name'] );
$filepath = $temp_dir . $filename;

// Add this validation:
$real_path = realpath(dirname($filepath)) . '/' . basename($filepath);
if (strpos($real_path, realpath($temp_dir)) !== 0) {
    return new WP_Error('invalid_path', 'Invalid file path detected');
}

4. Memory Management for Large Files - MEDIUM PRIORITY

File: dt-import/admin/dt-import-processor.php:25-30

// ADD: Always use sampling for large datasets
$total_rows = count( $csv_data );
$use_sampling = $total_rows > 500; // Lower threshold for safety

5. Cleanup Process Locking - LOW PRIORITY

File: dt-import/dt-import.php:81

private function cleanup_temp_files() {
    // ADD: Prevent concurrent cleanup processes
    if (get_transient('dt_import_cleanup_running')) {
        return;
    }
    set_transient('dt_import_cleanup_running', 1, 300);
    
    // Existing cleanup logic...
    
    delete_transient('dt_import_cleanup_running');
}

[kodinkat]

📝 Minor Improvements

• Error Handling Enhancement in dt-import/assets/js/dt-import.js:314 - Add try-catch blocks around CSV parsing
• Self-host External Dependencies - Replace CDN Toastify with local copy
• Enhanced Logging - Consider adding debug logging for import troubleshooting

✅ Approval Recommendation

Status: APPROVE with requested changes

The implementation is solid and demonstrates excellent engineering practices. Please address the two HIGH PRIORITY database security issues before merging.

The medium and low priority items can be addressed in follow-up PRs if preferred.

Great work on achieving feature parity with comprehensive improvements over the existing plugin! 👏

[corsacca]

Thanks @kodinkat

1. isn't an issue.
2. was already implemented.
   3, 4 and 5 are now addressed