Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-68631

Cron current user may not be reset between scheduled tasks

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Contrive a scenario where the mod_forum\task\cron_task runs before another task that generates logged events like core\task\completion_regular_task, e.g.:

      1. Prevent automatic execution of cron for this test. Set $CFG->maxeditingtime to 1 in config.php to avoid wasting your time waiting for forum posts to be sent.
      2. Establish a course with two students.
        • Students should have their preferences set to receive individual forum post notifications and read tracking.
        • Add a Forum with forced subscription.
        • Add a Page resource, set its activity completion condition to be manual.
        • Configure course completion to be dependent on the Page resource.
      3. Log in as the first student and mark the Page resource as complete.
      4. At a command line, execute admin/cli/cron.php to prime the course completion process. The second cron invocation to come triggers the course completion event.
      5. Log in as the second student and post in the Forum.
      6. At a command line, run the cron script.
        • Verify in the output that the mod_forum\task\cron_task task was run.
        • Verify that the core\task\completion_regular_task task was run also and after forum.
      7. As a teacher/admin, view the course log. Observe the 'User full name' column for a 'course completed' event affecting the first student.
        • Without the fix it ought to show a non-admin user, hopefully the second student used above.
        • With the fix it will show the site admin user.
      Show
      Contrive a scenario where the  mod_forum\task\cron_task runs before another task that generates logged events like core\task\completion_regular_task , e.g.: Prevent automatic execution of cron for this test. Set $CFG->maxeditingtime to 1 in config.php to avoid wasting your time waiting for forum posts to be sent. Establish a course with two students. Students should have their preferences set to receive individual forum post notifications and read tracking. Add a Forum with forced subscription. Add a Page resource, set its activity completion condition to be manual. Configure course completion to be dependent on the Page resource. Log in as the first student and mark the Page resource as complete. At a command line, execute admin/cli/cron.php  to prime the course completion process. The second cron invocation to come triggers the course completion event. Log in as the second student and post in the Forum. At a command line, run the cron script. Verify in the output that the mod_forum\task\cron_task task was run. Verify that the core\task\completion_regular_task task was run also and after forum. As a teacher/admin, view the course log. Observe the 'User full name' column for a 'course completed' event affecting the first student. Without the fix it ought to show a non-admin user, hopefully the second student used above. With the fix it will show the site admin user.
    • Affected Branches:
      MOODLE_35_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
    • Fixed Branches:
      MOODLE_35_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
    • Pull from Repository:
    • Pull 3.8 Branch:
    • Pull Master Branch:

      Description

      Scheduled tasks typically reset the current effective user if they have changed it by calling cron_setup_user() before returning, however, mod_forum\task\cron_task::queue_user_tasks() overlooks this, which means that for the scheduled tasks running after, if they trigger logged events, the effective user of those events will be whoever was last set by Forum's task.

      To avoid such accidents in general, cron_run_inner_scheduled_task() ought to call cron_setup_user() in the same manner that cron_run_inner_adhoc_task() does.

      This problem raises privacy concerns because a cron task could be run with the wrong cronuser set and that task may send out personal information about that user.

        Attachments

          Activity

            People

            Assignee:
            jonof Jonathon Fowler
            Reporter:
            jonof Jonathon Fowler
            Peer reviewer:
            Andrew Nicols
            Integrator:
            Jake Dallimore
            Tester:
            Jake Dallimore
            Participants:
            Component watchers:
            Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              13/Jul/20

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 40 minutes
                1h 40m