View Issue Details

This bug affects 1 person(s).
 8
IDProjectCategoryView StatusLast Update
09764Feature requestsPluginspublic2015-07-21 18:31
ReporterJanE Assigned ToDenisChenu  
PrioritynormalSeverityfeature 
Status closedResolutionwon't fix 
Summary09764: Run Console Applications from within a PHP script
DescriptionWe ran into a situation where we had the need to run console applications from within a PHP script. The use case: an application outside of LimeSurvey adds people to the LimeSurvey token table. We already have a console app, that sends invitations to those people. However, console apps can only be run by a cron job or by a system() call in a PHP script. Both are not preferable in our case.

With limited changes to application/commands/console.php and framework/console/CConsoleApplication.php it is possible to call a console app from within a PHP script. In a follow-up to this bug report I will post the patch that is needed.
Additional InformationIf you are worried about the security: this has no impact, because application/commands/console.php will still be protected from direct calls.
TagsNo tags attached.
Bug heat8

Activities

JanE

JanE

2015-07-07 18:11

reporter   ~32638

The patch is here:
https://github.com/Jan-E/LimeSurvey/commit/75a584feba14cc16207a31c8b34ca17fb2bb5f55

In short:
1. Comment out the 2 checks for isset($argv[0])
2. Add a $app->setCommand to console.php
3. Use a $this->getCommand() in CConsoleApplication.php to run the command

We use this as follows:
$run_console_command = 'invite';
require_once('application/commands/console.php');

In this way we can do a direct call to the InviteCommand plugin by @Mazi:
http://www.limesurvey-templates.com/automatically-send-email-invitations-p-49.html
DenisChenu

DenisChenu

2015-07-07 18:15

developer   ~32640

But : Remote control API can send invitation/reminder : not needed.

And please : console is made for console ! Security issue .
JanE

JanE

2015-07-07 19:01

reporter   ~32644

Last edited: 2015-07-07 19:59

View 3 revisions

See the first post: there is no security issue, because application/commands/console.php is not accessible from outside. It is protected by the application/.htaccess.

With respect to the Remote Control API: this requires a login with Admin rights AFAIK. Of course you can script that as well, but putting a plain text password in get_session_key is more of a security risk than calling a console app with require_once, but without password from within a PHP script.

JanE

JanE

2015-07-07 20:08

reporter   ~32645

Besides that: the remote control API does not send Registration mails according to the docs. And this is exactly what we want to do. We slightly adjusted @Mazi's script for that.
DenisChenu

DenisChenu

2015-07-07 20:13

developer   ~32646

The patch API to allow sending registration email.
JanE

JanE

2015-07-07 20:33

reporter   ~32647

I can find invite_participants() and remind_participants() in application/helpers/remotecontrol_handle.php

Where is the corresponding function for sending registration emails?
Mazi

Mazi

2015-07-07 20:49

partner   ~32648

So why not extending the API to support sending registration emails?

That's something I'd definitely support because I can think of lots of use cases.
JanE

JanE

2015-07-07 21:14

reporter   ~32649

A, I now see that Denis meant to say 'Then patch the API ...'.

@Mazi: we can do both. The Remote Control API is limited by nature. Only things that have been added to it can be done with it. Console apps can be added quite easily without the need to patch and update LimeSurvey. It could be a good way to test new ideas before submitting them to core.

I really do not see the security issue. If the developer does not declare $run_console_command in a PHP-script and/or does not require_once('path/console.php') nothing has changed. If needed the argv[0] checks could be put back in place and be something like:

if(!isset($_SERVER['argv']) && !isset($run_console_command))
Mazi

Mazi

2015-07-08 11:55

partner   ~32651

JanE, from my point of view the best approach (which we also followed at similar requests) is:
1. extending the API (remotecontrol.php script) to include the new function
2. test in depth
3. provide a pull request for LS 2.06 (master) and the upcoming LS 3.0
4. update the documentation at https://manual.limesurvey.org/RemoteControl_2_API

That way others benefit from your changes as well and you are future save when updating later.
DenisChenu

DenisChenu

2015-07-08 12:01

developer   ~32652

Sorry, then, not the ....

Yes, API is done to do someting in LimeSurvey
console is here for console

We don't have a feature request to allow API function by plugin ?
JanE

JanE

2015-07-08 12:22

reporter   ~32654

Yesterday evening and this morning I had a hell of a job to even get the remote control working properly. /index.php/admin/remotecontrol showed perfectly from outside, but all responses from the remote control API were empty.

Our provider has the feature to clone a VPS to another VPS and to my surprise the RC API worked on the clone. It took a lot of debugging to find the cause: Apache on the testing environment was not listening on IPv6 for the test domain and cUrl was trying to connect over IPv6.

I already had changed the RC handler, but now I finally can start testing it. Work in progress.
sammousa

sammousa

2015-07-21 15:48

reporter   ~32736

I am not sure about the use case for this but:
1. .htaccess is not enough protection (other webservers don't use it).
2. This does not run console applications from PHP, it runs PHP scripts from within another PHP script.
3. If the goal is to use a Yii ConsoleCommand from PHP then there are better solutions; changing the framework code is not an option.

I suggest closing this since changing framework code is not acceptable (and will be reverted the next time we upgrade the framework or when LS3 hits and the framework code is no longer in our repository).
JanE

JanE

2015-07-21 15:57

reporter   ~32737

I cannot close it. I would have done it already if I could, because I am now using the LSRC for the use case.
JanE

JanE

2015-07-21 16:04

reporter   ~32738

Maybe you should "Allow Reporter to close Issue"
https://www.mantisbt.org/forums/viewtopic.php?f=3&t=21761
JanE

JanE

2015-07-21 16:09

reporter   ~32739

Last edited: 2015-07-21 17:10

View 2 revisions

FWIW: reporters can only Monitor or End Monitoring. We cannot Assign to, Change status, Stick/unstick, Clone or Close. We can't even Edit the original issue.

DenisChenu

DenisChenu

2015-07-21 18:31

developer   ~32740

I don't see the Yii framework update ... console.php is done for console not for web.

Issue History

Date Modified Username Field Change
2015-07-07 18:00 JanE New Issue
2015-07-07 18:11 JanE Note Added: 32638
2015-07-07 18:15 DenisChenu Note Added: 32640
2015-07-07 19:01 JanE Note Added: 32644
2015-07-07 19:56 JanE Note Edited: 32644 View Revisions
2015-07-07 19:59 JanE Note Edited: 32644 View Revisions
2015-07-07 20:08 JanE Note Added: 32645
2015-07-07 20:13 DenisChenu Note Added: 32646
2015-07-07 20:33 JanE Note Added: 32647
2015-07-07 20:49 Mazi Note Added: 32648
2015-07-07 21:14 JanE Note Added: 32649
2015-07-08 11:55 Mazi Note Added: 32651
2015-07-08 12:01 DenisChenu Note Added: 32652
2015-07-08 12:22 JanE Note Added: 32654
2015-07-21 15:48 sammousa Note Added: 32736
2015-07-21 15:57 JanE Note Added: 32737
2015-07-21 16:04 JanE Note Added: 32738
2015-07-21 16:09 JanE Note Added: 32739
2015-07-21 17:10 JanE Note Edited: 32739 View Revisions
2015-07-21 18:31 DenisChenu Note Added: 32740
2015-07-21 18:31 DenisChenu Status new => closed
2015-07-21 18:31 DenisChenu Assigned To => DenisChenu
2015-07-21 18:31 DenisChenu Resolution open => won't fix