I am fairly new to CRONJOBs, but how do I stop someone just running www.mysite.com/cron/daily e.g. repeatidly ?
I have daily tasks set up and surely this will just initiate them all the time.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Matt Beckett@Beck24
Matt Beckett - 0 likes
- Team Webgalli@webgalli
Team Webgalli - 0 likes
- Call the cron with a secret key like : http://myelggsite/cron/daily/?key=1234
- Hook into the cron and listen for secret key
- If no key exists, exit the cron
- DhrupDeScoop@Dhrup2000
DhrupDeScoop - 0 likes
- Matt Beckett@Beck24
Matt Beckett - 0 likes
- DhrupDeScoop@Dhrup2000
DhrupDeScoop - 0 likes
- Matt Beckett@Beck24
Matt Beckett - 0 likes
- DhrupDeScoop@Dhrup2000
DhrupDeScoop - 0 likes
- Andy1966uk@Andy1966uk
Andy1966uk - 0 likes
- DhrupDeScoop@Dhrup2000
DhrupDeScoop - 0 likes
You must log in to post replies.currently there is nothing stopping anyone from doing this - there was some discussion about it recently, Steve Clay created a plugin to deal with it.
There is no plugin available to restrict the cron usage by public. But you can achieve it by
in addition to that 'key' checking -- can also verify other server variables to make certain that it is a legitimate cron call and only by elgg admin logged-in.
My mistake, I was thinking of the upgrade.php discussion that has a plugin here: https://github.com/mrclay/Elgg-mrclay_upgrade_key
Cron can be done with a similar method.
@Dhrup - cron doesn't get called by a logged in admin
@Matt: ohh lolzers -->
andy axed re: - '... just running www.mysite.com/cron/daily...' ?
so... was not a statement of pre-existing fact; but a mere suggestion for some little extra piddley diidley code to control the psuedo-cron even moare for legitimacy if trigerred via that direct url above ;-o) & not simply via an unsecured 'get' key.
Yes, but if you throw in an exit statement if !admin then you're real cron will stop working too, or am I missing something?
do you mean 'exit statement.. if admin.... ' on the php/elgg side ? and the linux 'cron' ?
thanks folks, but my coding is very limited so not sure I could utilise a key etc.
@matt: && btw - all that code such as ' function cron_page_handler... ' seen all over elgg core is not, not real cron, as in not & nada to do w/ stuff that ticks within linux's cron daemon ? so-o-o real cron kinda not cares what some php code is doing elsewhere; ergo - that's why i said 'pseudo-cron' ;-)
@andy: depends on what you want to achieve & what controls might be needed; elgg's pseudo cron (wish everyone used this same & proper terminology so as not to confuse;) will execute the (sic) cron'ed code anyway - via that direct url, soo we're stuck in the middle of the road. why not just user straight, proper, real cron ? then can more easily put up blocks against direct http calls to the code. e.g $argc & $argv with the cron code actually supplying some key to verify; or just hitting /usr/bin/php and/or bash to run the elgg + php stuff via background shell_exec... more work!