With patch from March 12, 2010 ! (http://drupal.org/node/431776) it is no longer possible to run cron as authenticated user as described in Running cron as an authenticated user. Every cron call is forced to run as anonymous user:

function drupal_cron_run()
  // Force the current user to anonymous to ensure consistent permissions on
  // cron runs.
  $original_user = $GLOBALS['user'];
  $GLOBALS['user'] = drupal_anonymous_user();

I confirm the comment Each module that implements hook_cron must handle access. I wonder nobody else reported this problem before - for such a long time. Maybe I'm blind but I haven't yet found a solution for this.

Comments

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Category: bug » support
Status: Active » Postponed (maintainer needs more info)

It "works as designed". Are you wanting to change the design; if so, it is a "feature request"? What is trying to be accomplished that won't work now?

dreizwo’s picture

dreizwo CreditAttribution: dreizwo commented

Well, it is designed to run cron only as anoymous user. The documentation tells it is possible to run cron as authenticated user instead and this is wrong! Maybe it's a feature request, but in my mind it's a bug - unless modules implementing hook_cron should only contain code, which is accessible for anonymous user. In other words, a cron run may include operations, wich are explicitly designed to be only executable and accesible for authenticated user. Let me know: what are my errors in reasoning? I'm happy to get new points of view.

dreizwo’s picture

dreizwo CreditAttribution: dreizwo commented

Well, it is designed to run cron only as anoymous user.... Sorry double post - Thank you iPad ;-)

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

I know from experience with xmlsitemap that cron.php is expected to be executed as anonymous user. Quite difficult for it to be otherwise. A user can be logged in a run cron but the API forces the anonymous user to have a consistent user with which executes cron. Maybe the understanding that cron, although can be run as an authenticated user, changes its user to anonymous is what needs documented. Otherwise important things will break and you'll have some security issues to deal with.

dreizwo’s picture

dreizwo CreditAttribution: dreizwo commented

if a module needs a anonymous user, like xmlsitemap, the module itself should ensure this behaviuor in my mind, just as a module handles all other security issues itself,too. In fact you can initiate cron as authenticaded user - but you cannot execute cron. So, the bottom line is that there is no diffrence between both variants. Which other modules need that behaviour, you described and what would you suggest, to do if you need an authenticated user? What are the alternatives to cron?

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Title: Impossible to run cron as authenticated user » Documentation on running cron as authenticated user is out of date
Component: cron system » documentation
Category: support » task

Moving this to a documentation issue.

#431776: Cron should run as anonymous when invoked via the run-cron link on the status report page explains the overall rationale, which indeed was consistency. (I'm not sure security comes into play here one way or the other).

In general, well-written cron code should not care - at the API level - which user is logged in when it is running. In the event that some module has code which does care and needs its hook_cron() implementation to run as a different user, the module can still impersonate that user for the duration of the hook_cron() implementation using a similar technique that core does in drupal_cron_run() itself. But I don't think it makes sense to go back to a situation where this choice is left up to the person running cron.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Title: Documentation on running cron as authenticated user is out of date » Documentation on running cron as an authenticated user is out of date
Version: 7.15 » 8.x-dev
Status: Postponed (maintainer needs more info) » Active
Issue tags: +Needs backport to D7

I guess this is mainly a drupal.org documentation issue, but maybe it affects the codebase also, so moving to Drupal 8 for now.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented

I edited the on-line documentation page in question, since no one else had bothered to do so yet. (Folks: that is what the Edit button is for on documentation pages!)

Regarding API docs... Some places this maybe should be documented:
- search.api.php - describing indexing of nodes, note that all the nodes are indexed, but they're built from displays as seen by an anonymous user [I think?]
- The drupal_cron_run() function documentation should mention this.
- The hook_cron() documentation should mention this.

That's all I see...

dreizwo’s picture

dreizwo CreditAttribution: dreizwo commented

#6: I agree with your statements, in hope that it will be changed in D8. Until then I'll add my own 'cron' implementation beside, just running special-purpose jobs, which will leave the existing one untouched.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

koppie’s picture

koppie CreditAttribution: koppie at Business Wire commented
Assigned: Unassigned » koppie
Issue summary: View changes
Status: Active » Fixed

It looks like this ticket has been resolved:

  1. Drupal 7 documentation now says "Running cron as an authenticated user (D6 and earlier only)", and in the body text for that section, it specifies "Note that as of Drupal 7, cron always runs as an anonymous user, so this will not work in Drupal 7 and later versions!" See https://www.drupal.org/node/23714
  2. Drupal 8 documentation doesn't discuss user authentication for cron at all: https://www.drupal.org/docs/8/cron-automated-tasks/cron-automated-tasks-...

Given that the documentation has been updated, I think it's time to close this.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.