Merge branch 'MDL-48559-master' of git://github.com/ankitagarwal/moodle

2025-04-20 16:04:25 +02:00 · 2015-02-16 16:51:51 +08:00 · 2015-02-16 16:51:51 +08:00 · a27b8c9b3b
commit a27b8c9b3b
parent 73152e4dff 1ae85f2184
5 changed files with 45 additions and 2 deletions
--- a/admin/settings/security.php
+++ b/admin/settings/security.php
@ -55,7 +55,8 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page

    $temp->add(new admin_setting_configcheckbox('profilesforenrolledusersonly', new lang_string('profilesforenrolledusersonly','admin'),new lang_string('configprofilesforenrolledusersonly', 'admin'),'1'));

-    $temp->add(new admin_setting_configcheckbox('cronclionly', new lang_string('cronclionly', 'admin'), new lang_string('configcronclionly', 'admin'), 0));
+    $temp->add(new admin_setting_configcheckbox('cronclionly', new lang_string('cronclionly', 'admin'), new lang_string
+            ('configcronclionly', 'admin'), 1));
    $temp->add(new admin_setting_configpasswordunmask('cronremotepassword', new lang_string('cronremotepassword', 'admin'), new lang_string('configcronremotepassword', 'admin'), ''));

    $options = array(0=>get_string('no'), 3=>3, 5=>5, 7=>7, 10=>10, 20=>20, 30=>30, 50=>50, 100=>100);
--- a/lang/en/admin.php
+++ b/lang/en/admin.php
@ -161,7 +161,7 @@ $string['configcourserequestnotify'] = 'Type username of user to be notified whe
 $string['configcourserequestnotify2'] = 'Users who will be notified when a course is requested. Only users who can approve course requests are listed here.';
 $string['configcoursesperpage'] = 'Enter the number of courses to be displayed per page in a course listing.';
 $string['configcourseswithsummarieslimit'] = 'The maximum number of courses to display in a course listing including summaries before falling back to a simpler listing.';
-$string['configcronclionly'] = 'If this is set, then the cron script can only be run from the command line instead of via the web.  This overrides the cron password setting below.';
+$string['configcronclionly'] = 'If this is set, then the cron script can only be run from the command line instead of via the web. This overrides the cron password setting below. Please note that, running cron from web can expose secure information to site users.';
 $string['configcronremotepassword'] = 'This means that the cron.php script cannot be run from a web browser without supplying the password using the following form of URL:<pre>
    http://site.example.com/admin/cron.php?password=opensesame
 </pre>If this is left empty, no password is required.';
--- a/lib/tests/behat/behat_hooks.php
+++ b/lib/tests/behat/behat_hooks.php
@ -205,6 +205,9 @@ class behat_hooks extends behat_base {
        $user = $DB->get_record('user', array('username' => 'admin'));
        \core\session\manager::set_user($user);

+        // Enable web cron.
+        set_config('cronclionly', 0);
+
        // Reset the browser if specified in config.php.
        if (!empty($CFG->behat_restart_browser_after) && $this->running_javascript()) {
            $now = time();
--- a/report/security/lang/en/report_security.php
+++ b/report/security/lang/en/report_security.php
@ -116,6 +116,10 @@ $string['check_unsecuredataroot_error'] = 'Your dataroot directory <code>{$a}</c
 $string['check_unsecuredataroot_name'] = 'Insecure dataroot';
 $string['check_unsecuredataroot_ok'] = 'Dataroot directory must not be accessible via the web.';
 $string['check_unsecuredataroot_warning'] = 'Your dataroot directory <code>{$a}</code> is in the wrong location and might be exposed to the web.';
+$string['check_webcron_details'] = '<p>Web cron can expose priviedged information to anonymous users. It is recommended to use CLI cron or protect the cron page with a passphrase.</p>';
+$string['check_webcron_warning'] = 'Anonymous users can access cron.';
+$string['check_webcron_name'] = 'Web cron';
+$string['check_webcron_ok'] = 'Anonymous users can not access cron.';
 $string['issue'] = 'Issue';
 $string['pluginname'] = 'Security overview';
 $string['security:view'] = 'View security report';
--- a/report/security/locallib.php
+++ b/report/security/locallib.php
@ -56,6 +56,7 @@ function report_security_get_issue_list() {
        'report_security_check_defaultuserrole',
        'report_security_check_guestrole',
        'report_security_check_frontpagerole',
+        'report_security_check_webcron',

    );
 }
@ -830,3 +831,37 @@ function report_security_check_riskbackup($detailed=false) {

    return $result;
 }
+
+/**
+ * Verifies the status of web cron
+ *
+ * @param bool $detailed
+ * @return object result
+ */
+function report_security_check_webcron($detailed = false) {
+    global $CFG;
+
+    $croncli = $CFG->cronclionly;
+    $cronremotepassword = $CFG->cronremotepassword;
+
+    $result = new stdClass();
+    $result->issue   = 'report_security_check_webcron';
+    $result->name    = get_string('check_webcron_name', 'report_security');
+    $result->details = null;
+    $result->link    = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=sitepolicies\">"
+            .get_string('sitepolicies', 'admin').'</a>';
+
+    if (empty($croncli) && empty($cronremotepassword)) {
+        $result->status = REPORT_SECURITY_WARNING;
+        $result->info   = get_string('check_webcron_warning', 'report_security');
+    } else {
+        $result->status = REPORT_SECURITY_OK;
+        $result->info   = get_string('check_webcron_ok', 'report_security');
+    }
+
+    if ($detailed) {
+        $result->details = get_string('check_webcron_details', 'report_security');
+    }
+
+    return $result;
+}