Security Cron Jobs

Business perspective: Security Rebuild Crons

1. Business Summary

Background queue rebuilding row-level privilege records when entities are created/updated/deleted; supports retry, blacklist, and on-behalf attribution.

2. Business Value

Maintains correctness of pre-computed security tables underlying RBAC.

3. Users / Stakeholders

System / admins.

4. Workflows

  • Insert into cron_job_sqs on entity changes.
  • callSecurityCronJobs(controller, item_id, user_id, action, cron_id) dequeues + invokes SecuritySystem::setPrivilegesWithCronJob.
  • On error, status=2/3; retry per configured intervals.

5. Sub-Features

  • Hardcoded blacklist of heavy items.
  • on_behalf_id attribution.
  • Test runners for unit-style verification.

6. Business Rules

  • Auth::allow('*') in beforeFilter — endpoint must be network-restricted.
  • Admins bypass row-level checks.

7. Data Entities

cron_job_sqs (queue), Security{Entity}, Security{Entity}User.

8. Entry Points

  • security_cron_jobs/callSecurityCronJobs, callSecurityCronJobsOriginal.
  • Test endpoints under security_cron_jobs_tests*.

9. Inputs & Outputs

  • Inputs: queue messages.
  • Outputs: rebuilt security rows.

10. Integrations

  • AWS SQS / local queue.

11. Calculations / Logic

  • Path traversal evaluation.

12. Status Lifecycle

  • 0 pending → 1 success → 2 error → 3 retry → 4 skipped.

13. Permissions

  • Service-level (Auth allowed).

14. Reports & KPIs

  • Queue depth, error rate, retry counts.

15. Risks & Observations

  • Endpoint open if not network-restricted.
  • Hardcoded ID blacklist.
  • Recursion loops on cyclic graphs.

16. Source Code Evidence

  • app/Controller/SecurityCronJobsController.php, SecurityCronJobsTestsController.php, SecurityCronJobsTestThreadController.php, SecurityCronJobsTestThreadsController.php, TestSecurityCronJobsController.php.
  • app/Controller/Component/SecuritySystemComponent.php.

← Deep dives index