khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2025-12-12 07:29:47 +07:00
Code Issues Packages Projects Releases Wiki Activity

Added content from suggestions

Browse Source 
Signed-off-by: Christian Wolf <github@christianwolf.email>
This commit is contained in:
Christian Wolf
2025-09-26 20:52:10 +02:00
parent 66d1f61345
commit 179d774357
3 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
developer_manual/basics/controllers.rst
View File

@@ -439,7 +439,9 @@ developers can implement their own types of menu renderings by adding a custom
class implementing the ``OCP\\AppFramework\\Http\\Template\\IMenuAction`` interface.
As the public template is also some HTML template, the same argumentation as for :ref:`regular templates<controller_template>` regarding the CSRF checks hold true:
The usage of ``#[NoCSRFRequired]`` for public pages is considered acceptable and is actually needed to visit the page without an active account.
The usage of ``#[NoCSRFRequired]`` for public pages is considered acceptable for some pages:
Each page that the user should be able to directly access (by typing/pastig the URL in the browser or clicking on a link in a mail) should have this attribute set.
For multi-page forms in the second and later stages, this should **not** be set as the user should follow the series of pages.
Data-based responses
--------------------

2
developer_manual/digging_deeper/rest_apis.rst
View File

@@ -117,7 +117,7 @@ There are different ways a clients might interact with your APIs.
These ways depend on your API configuration (what you allow) and on which route the request is finally made.
- *Access from web frontend* means the user is accessing the Nextcloud web frontend with a web browser.
- *Access from non-browser* is if the user accesses the resource or page using something that is not a web browser, like an Android app or a curl command.```
- *Access from non-browser* is if the user accesses the resource or page using something that is not a web browser, like an Android app or a curl command.
- *Access from external website* means that the user browses some third party web site and data from your Nextcloud server appears.
The other website has to embed/load/use images, JSON data, or other resources from a URL pointing to the Nextcloud server, to be able to do this.

2
developer_manual/prologue/security.rst
View File

@@ -233,7 +233,7 @@ If you are using the App Framework, every controller method is automatically che
Additionally, it is advised to carefully select the HTTP method used for requests.
Requests of type ``GET`` should not alter data but just read existing data.
As long as no other attack is involved, any non-``GET`` request requires at least user interaction (transmitting a form).
This way, at least no typed (or copied) URL might alter data (e.g. clicking a link from a spam mail message by accident).
Unvalidated redirects
---------------------