You've run in to a known issue with doing stuff through the 'cron' mechanism, to do with access controls. As there is no actual "cron" (scheduled task runner) in J!, we run our cron plugin during normal page loading, as the last event that happens after a page is loaded on the front end. Each time a page is loaded, after the page is rendered (so the user loading the page won't notice any performance difference) our system cron plugin runs, checks to see if there's any tasks due to be run, and if so runs them. But ... this means that the task is running with the credentials of whoever happened to be loading the page when the task(s) became due to run.
When you run it by hand on the backend, the task you are running has your backend admin access. But when it's triggered from the cron plugin, it only has the access of whoever is logged in when it runs. And the CSV import plugin runs the same code as the manual CSV import feature, which checks to see if the logged in user has "empty table" privileges.
We don't do scheduled task running in the backend, because that could cause big problems if a cron job errors out, making the backend of your site inaccessible.
The only way round this is to copy your list, give "public" the "empty table" access, and use that copy of the list for your CSV import cron plugin. This is a security risk. You would be relying on "security through obscurity", by never using that copy of the list on the front end (so that list ID is never shown on the front end), so attackers would have to know / guess the list ID in order to exploit it.
The only other solution would be for us to add a new option to the cron CSV plugin, something like "override ACL", and set a session variable which the import model could check. But that's outside the scope of subscription support, it would have to be done as billable work.
Bottom line - it's up to you whether your usage is security sensitive enough to pay an hour's work to add a new feature, or if "security through obscurity" is good enough for your use.
-- hugh
