The project_db_rewrite_sql() hook prevents cron.php from closing tickets that were closed more than a week ago. That is, since cron.php is running as anonymous and anonymous users on my site aren't permitted to see our issues (you must login to do that), the cron task fails to see the tickets that need closing in order to close them.

The solution seems to be to strip out the db_rewrite_sql() call and just execute the given SQL as is (or run cron.php manually as a logged user with access to the issues).

CommentFileSizeAuthor
#4 project_issue_cron_fix_0.patch1.15 KBhunmonk
#3 project_issue_cron_fix.patch1.16 KBhunmonk

Comments

hunmonk’s picture

hunmonk commented

hm. i thought we had fixed this issue previously...

dww’s picture

dww
we/he/they
commented

nope, we never fixed this... we talked about it, but never actually worked on it.

hunmonk’s picture

hunmonk commented
Version: 5.x-1.0 » 5.x-2.x-dev
Status: Active » Needs review
StatusFileSize
new project_issue_cron_fix.patch1.16 KB

i don't think there's a security risk here with removing the db_rewrite_sql(). we're loading up nodes and project comments internally and saving them back again. reviewing the code flow, i don't see any opportunities for any kind of attack vector, and there's no user output.

hunmonk’s picture

hunmonk commented
Assigned: Unassigned » hunmonk
Status: Needs review » Fixed
StatusFileSize
new project_issue_cron_fix_0.patch1.15 KB

drumm: hunmonk, eaton: there is a precedent for not using db_rewrite_sql on cron-- the search indexer

moshe_work: hunmonk: looks ok to me too

i believe enough of us agree to move forward with this approach... :)

attached was applied to 5.x-1.x, 4.7.x-1.x, 4.7.x-2.x

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)