Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Not sure if this was on purpose but, I noticed in the menu settings that one admin option had an access argument for the "administer scheduler" permission and then, the access callback was TRUE which totally negates the access perm and opens that functionality to anonymous users.
Also, here's a quick patch to amend that. For your consideration.
Comment | File | Size | Author |
---|---|---|---|
#8 | _1463378_8.scheduler.lightweight_cron_access.patch | 525 bytes | jonathan1055 |
#2 | _1463378_2.scheduler.lightweight_cron_access.patch | 947 bytes | jonathan1055 |
drupal-scheduler_cron_access-1.patch | 536 bytes | cntlscrut | |
Comments
Comment #1
jonathan1055 CreditAttribution: jonathan1055 commentedHello,
Yes you are right, anon users can run the scheduler lightweight cron and I'm sure that is not intentional. I'll test the patch. The same fault is in the D6 version, so we should fix both.
Thanks for spotting this!
Jonathan
Comment #2
jonathan1055 CreditAttribution: jonathan1055 commentedJust tested the patch, and you fixed the access to /admin/config/content/scheduler/cron
But running the cron via /scheduler/cron also needs to be fixed. The attached patch does both.
Comment #3
cntlscrut CreditAttribution: cntlscrut commentedThat looks good. The only reason that i didn't remove the callback for "/scheduler/cron" was because i saw the use of being able to add a call to that in the crontab that wouldn't call the full drupal cron functionality if it wasn't necessary.
My main issue was just with the admin functionality of being able to trigger the run via a button being exposed to anon users.
Though the liteweight cron is nice though, the drupal cron is already set and tested as secure and even in larger instances shouldn't pose a significant performance risk.
Looking at and testing the patch I don't see any major reason not to commit and tag a new release.
Comment #4
jonathan1055 CreditAttribution: jonathan1055 commentedLooking at #431776: Cron should run as anonymous when invoked via the run-cron link on the status report page and #793590: Switch to the anonymous user when running cron it seems that cron jobs should be executed as an anonymous user, and you were right not to remove the 'access callback' => TRUE from /scheduler/cron/
Hence the patch to be applied is the original at the top of this issue, not my patch in #2. Does anyone else want to confirm my understanding of this, and then mark it RTBC?
Jonathan
Comment #5
Eric-Alexander Schaefer CreditAttribution: Eric-Alexander Schaefer commentedCommited: http://drupalcode.org/project/scheduler.git/commit/635b7a3
Comment #7
jonathan1055 CreditAttribution: jonathan1055 commentedI think this patch should be ported to D6 because scheduler_menu() is the same.
Comment #8
jonathan1055 CreditAttribution: jonathan1055 commentedHere is the patch for D6, to block anon users from reaching /admin/settings/scheduler/cron
Comment #9
fizk CreditAttribution: fizk commented#8 works in 6.x-1.x HEAD. Please commit so we can release 6.x-1.9.
Comment #10
rickmanelius CreditAttribution: rickmanelius commentedHi Jonathan and fizk.
This was committed http://drupalcode.org/project/scheduler.git/commit/bd3a1ff