From 1be5c1fd3b67100c70bfbf3443de315966182804 Mon Sep 17 00:00:00 2001
From: Ankit Agarwal <ankit@moodle.com>
Date: Fri, 19 Dec 2014 08:31:26 +0530
Subject: [PATCH 1/2] MDL-48559 cron: Disable web cron by default

---
 admin/settings/security.php | 3 ++-
 lang/en/admin.php           | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/admin/settings/security.php b/admin/settings/security.php
index af1e6c8..66cae6b 100644
--- a/admin/settings/security.php
+++ b/admin/settings/security.php
@@ -55,7 +55,8 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page
 
     $temp->add(new admin_setting_configcheckbox('profilesforenrolledusersonly', new lang_string('profilesforenrolledusersonly','admin'),new lang_string('configprofilesforenrolledusersonly', 'admin'),'1'));
 
-    $temp->add(new admin_setting_configcheckbox('cronclionly', new lang_string('cronclionly', 'admin'), new lang_string('configcronclionly', 'admin'), 0));
+    $temp->add(new admin_setting_configcheckbox('cronclionly', new lang_string('cronclionly', 'admin'), new lang_string
+            ('configcronclionly', 'admin'), 1));
     $temp->add(new admin_setting_configpasswordunmask('cronremotepassword', new lang_string('cronremotepassword', 'admin'), new lang_string('configcronremotepassword', 'admin'), ''));
 
     $options = array(0=>get_string('no'), 3=>3, 5=>5, 7=>7, 10=>10, 20=>20, 30=>30, 50=>50, 100=>100);
diff --git a/lang/en/admin.php b/lang/en/admin.php
index 8089a7f..545c233 100644
--- a/lang/en/admin.php
+++ b/lang/en/admin.php
@@ -161,7 +161,7 @@ $string['configcourserequestnotify'] = 'Type username of user to be notified whe
 $string['configcourserequestnotify2'] = 'Users who will be notified when a course is requested. Only users who can approve course requests are listed here.';
 $string['configcoursesperpage'] = 'Enter the number of courses to be displayed per page in a course listing.';
 $string['configcourseswithsummarieslimit'] = 'The maximum number of courses to display in a course listing including summaries before falling back to a simpler listing.';
-$string['configcronclionly'] = 'If this is set, then the cron script can only be run from the command line instead of via the web.  This overrides the cron password setting below.';
+$string['configcronclionly'] = 'If this is set, then the cron script can only be run from the command line instead of via the web. This overrides the cron password setting below. Please note that, running cron from web can expose secure information to site users.';
 $string['configcronremotepassword'] = 'This means that the cron.php script cannot be run from a web browser without supplying the password using the following form of URL:<pre>
     http://site.example.com/admin/cron.php?password=opensesame
 </pre>If this is left empty, no password is required.';
-- 
1.9.1


From 1fd60b853bc89886d72da432b722d820228a71c1 Mon Sep 17 00:00:00 2001
From: Ankit Agarwal <ankit@moodle.com>
Date: Fri, 19 Dec 2014 08:48:15 +0530
Subject: [PATCH 2/2] MDL-48559 reports: security report checks for web cron

---
 report/security/lang/en/report_security.php |  4 ++++
 report/security/locallib.php                | 34 +++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/report/security/lang/en/report_security.php b/report/security/lang/en/report_security.php
index f3eb608..0bf5d9b 100644
--- a/report/security/lang/en/report_security.php
+++ b/report/security/lang/en/report_security.php
@@ -116,6 +116,10 @@ $string['check_unsecuredataroot_error'] = 'Your dataroot directory <code>{$a}</c
 $string['check_unsecuredataroot_name'] = 'Insecure dataroot';
 $string['check_unsecuredataroot_ok'] = 'Dataroot directory must not be accessible via the web.';
 $string['check_unsecuredataroot_warning'] = 'Your dataroot directory <code>{$a}</code> is in the wrong location and might be exposed to the web.';
+$string['check_webcron_details'] = '<p>Web cron could expose secure information to site users. Please disable it unless this is a development test site.</p>';
+$string['check_webcron_warning'] = 'Web cron should not be enabled on production sites.';
+$string['check_webcron_name'] = 'Web cron';
+$string['check_webcron_ok'] = 'Web cron is disabled.';
 $string['issue'] = 'Issue';
 $string['pluginname'] = 'Security overview';
 $string['security:view'] = 'View security report';
diff --git a/report/security/locallib.php b/report/security/locallib.php
index 41507c0..c30bc6a 100644
--- a/report/security/locallib.php
+++ b/report/security/locallib.php
@@ -56,6 +56,7 @@ function report_security_get_issue_list() {
         'report_security_check_defaultuserrole',
         'report_security_check_guestrole',
         'report_security_check_frontpagerole',
+        'report_security_check_webcron',
 
     );
 }
@@ -830,3 +831,36 @@ function report_security_check_riskbackup($detailed=false) {
 
     return $result;
 }
+
+/**
+ * Verifies the status of web cron
+ *
+ * @param bool $detailed
+ * @return object result
+ */
+function report_security_check_webcron($detailed = false) {
+    global $CFG;
+
+    $croncli = $CFG->cronclionly;
+
+    $result = new stdClass();
+    $result->issue   = 'report_security_check_webcron';
+    $result->name    = get_string('check_webcron_name', 'report_security');
+    $result->details = null;
+    $result->link    = "<a href=\"$CFG->wwwroot/$CFG->admin/settings.php?section=sitepolicies\">"
+            .get_string('sitepolicies', 'admin').'</a>';
+
+    if (empty($croncli)) {
+        $result->status = REPORT_SECURITY_WARNING;
+        $result->info   = get_string('check_webcron_warning', 'report_security');
+    } else {
+        $result->status = REPORT_SECURITY_OK;
+        $result->info   = get_string('check_webcron_ok', 'report_security');
+    }
+
+    if ($detailed) {
+        $result->details = get_string('check_webcron_details', 'report_security');
+    }
+
+    return $result;
+}
\ No newline at end of file
-- 
1.9.1