With patch from March 12, 2010 ! (http://drupal.org/node/431776) it is no longer possible to run cron as authenticated user as described in Running cron as an authenticated user. Every cron call is forced to run as anonymous user:

function drupal_cron_run()
  // Force the current user to anonymous to ensure consistent permissions on
  // cron runs.
  $original_user = $GLOBALS['user'];
  $GLOBALS['user'] = drupal_anonymous_user();

I confirm the comment Each module that implements hook_cron must handle access. I wonder nobody else reported this problem before - for such a long time. Maybe I'm blind but I haven't yet found a solution for this.


earnie’s picture

Category:bug» support
Status:Active» Postponed (maintainer needs more info)

It "works as designed". Are you wanting to change the design; if so, it is a "feature request"? What is trying to be accomplished that won't work now?

dreizwo’s picture

Well, it is designed to run cron only as anoymous user. The documentation tells it is possible to run cron as authenticated user instead and this is wrong! Maybe it's a feature request, but in my mind it's a bug - unless modules implementing hook_cron should only contain code, which is accessible for anonymous user. In other words, a cron run may include operations, wich are explicitly designed to be only executable and accesible for authenticated user. Let me know: what are my errors in reasoning? I'm happy to get new points of view.

dreizwo’s picture

Well, it is designed to run cron only as anoymous user.... Sorry double post - Thank you iPad ;-)

earnie’s picture

I know from experience with xmlsitemap that cron.php is expected to be executed as anonymous user. Quite difficult for it to be otherwise. A user can be logged in a run cron but the API forces the anonymous user to have a consistent user with which executes cron. Maybe the understanding that cron, although can be run as an authenticated user, changes its user to anonymous is what needs documented. Otherwise important things will break and you'll have some security issues to deal with.

dreizwo’s picture

if a module needs a anonymous user, like xmlsitemap, the module itself should ensure this behaviuor in my mind, just as a module handles all other security issues itself,too. In fact you can initiate cron as authenticaded user - but you cannot execute cron. So, the bottom line is that there is no diffrence between both variants. Which other modules need that behaviour, you described and what would you suggest, to do if you need an authenticated user? What are the alternatives to cron?

David_Rothstein’s picture

Title:Impossible to run cron as authenticated user» Documentation on running cron as authenticated user is out of date
Component:cron system» documentation
Category:support» task

Moving this to a documentation issue.

#431776: Cron should run as anonymous when invoked via the run-cron link on the status report page explains the overall rationale, which indeed was consistency. (I'm not sure security comes into play here one way or the other).

In general, well-written cron code should not care - at the API level - which user is logged in when it is running. In the event that some module has code which does care and needs its hook_cron() implementation to run as a different user, the module can still impersonate that user for the duration of the hook_cron() implementation using a similar technique that core does in drupal_cron_run() itself. But I don't think it makes sense to go back to a situation where this choice is left up to the person running cron.

David_Rothstein’s picture

Title:Documentation on running cron as authenticated user is out of date» Documentation on running cron as an authenticated user is out of date
Version:7.15» 8.x-dev
Status:Postponed (maintainer needs more info)» Active
Issue tags:+needs backport to D7

I guess this is mainly a drupal.org documentation issue, but maybe it affects the codebase also, so moving to Drupal 8 for now.

jhodgdon’s picture

I edited the on-line documentation page in question, since no one else had bothered to do so yet. (Folks: that is what the Edit button is for on documentation pages!)

Regarding API docs... Some places this maybe should be documented:
- search.api.php - describing indexing of nodes, note that all the nodes are indexed, but they're built from displays as seen by an anonymous user [I think?]
- The drupal_cron_run() function documentation should mention this.
- The hook_cron() documentation should mention this.

That's all I see...

dreizwo’s picture

#6: I agree with your statements, in hope that it will be changed in D8. Until then I'll add my own 'cron' implementation beside, just running special-purpose jobs, which will leave the existing one untouched.