Not sure if this was on purpose but, I noticed in the menu settings that one admin option had an access argument for the "administer scheduler" permission and then, the access callback was TRUE which totally negates the access perm and opens that functionality to anonymous users.

Also, here's a quick patch to amend that. For your consideration.

CommentFileSizeAuthor
#8 _1463378_8.scheduler.lightweight_cron_access.patch525 bytesjonathan1055
#2 _1463378_2.scheduler.lightweight_cron_access.patch947 bytesjonathan1055
drupal-scheduler_cron_access-1.patch536 bytescntlscrut
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented

Hello,
Yes you are right, anon users can run the scheduler lightweight cron and I'm sure that is not intentional. I'll test the patch. The same fault is in the D6 version, so we should fix both.
Thanks for spotting this!
Jonathan

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Status: Active » Needs review
FileSize
_1463378_2.scheduler.lightweight_cron_access.patch947 bytes

Just tested the patch, and you fixed the access to /admin/config/content/scheduler/cron
But running the cron via /scheduler/cron also needs to be fixed. The attached patch does both.

cntlscrut’s picture

cntlscrut CreditAttribution: cntlscrut commented

That looks good. The only reason that i didn't remove the callback for "/scheduler/cron" was because i saw the use of being able to add a call to that in the crontab that wouldn't call the full drupal cron functionality if it wasn't necessary.

My main issue was just with the admin functionality of being able to trigger the run via a button being exposed to anon users.
Though the liteweight cron is nice though, the drupal cron is already set and tested as secure and even in larger instances shouldn't pose a significant performance risk.

Looking at and testing the patch I don't see any major reason not to commit and tag a new release.

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented

Looking at #431776: Cron should run as anonymous when invoked via the run-cron link on the status report page and #793590: Switch to the anonymous user when running cron it seems that cron jobs should be executed as an anonymous user, and you were right not to remove the 'access callback' => TRUE from /scheduler/cron/

Hence the patch to be applied is the original at the top of this issue, not my patch in #2. Does anyone else want to confirm my understanding of this, and then mark it RTBC?

Jonathan

Eric-Alexander Schaefer’s picture

Eric-Alexander Schaefer CreditAttribution: Eric-Alexander Schaefer commented
Status: Needs review » Fixed

Commited: http://drupalcode.org/project/scheduler.git/commit/635b7a3

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Version: 7.x-1.0 » 6.x-1.8
Priority: Major » Normal
Status: Closed (fixed) » Patch (to be ported)

I think this patch should be ported to D6 because scheduler_menu() is the same.

jonathan1055’s picture

jonathan1055 CreditAttribution: jonathan1055 commented
Status: Patch (to be ported) » Needs review
FileSize
_1463378_8.scheduler.lightweight_cron_access.patch525 bytes

Here is the patch for D6, to block anon users from reaching /admin/settings/scheduler/cron

fizk’s picture

fizk CreditAttribution: fizk commented
Version: 6.x-1.8 » 6.x-1.x-dev
Status: Needs review » Reviewed & tested by the community

#8 works in 6.x-1.x HEAD. Please commit so we can release 6.x-1.9.

rickmanelius’s picture

rickmanelius CreditAttribution: rickmanelius commented
Status: Reviewed & tested by the community » Fixed

Hi Jonathan and fizk.
This was committed http://drupalcode.org/project/scheduler.git/commit/bd3a1ff

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.