Not all crons run in CLI mode. You can't run in CLI mode if you want
to give users the ability to use external
cronjob services unless you use a script which is called by the
external service by HTTP to start a shell script.
which completly defeats the idea of CSRF
So, you are saying that those who are not able to run crons by calling a
shell script (shared hosting) should not be able to run Roundcube and
its plugins? As far as I understand CSFR it should prevent POST and
AJAX-Requests from not authorized sources and nothing else. Why do you
have concerns to run HTTP based cronjobs? Of course there are IP or
authorization token checks. I didn't say that Devs should disable
security features.
_______________________________________________
Roundcube Development discussion mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/dev
