From 179d7743572ea11e89efe7fda478d1a15bb8b716 Mon Sep 17 00:00:00 2001 From: Christian Wolf Date: Fri, 26 Sep 2025 20:52:10 +0200 Subject: [PATCH] Added content from suggestions Signed-off-by: Christian Wolf --- developer_manual/basics/controllers.rst | 4 +++- developer_manual/digging_deeper/rest_apis.rst | 2 +- developer_manual/prologue/security.rst | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/developer_manual/basics/controllers.rst b/developer_manual/basics/controllers.rst index fad325c1b..a0c5b975f 100644 --- a/developer_manual/basics/controllers.rst +++ b/developer_manual/basics/controllers.rst @@ -439,7 +439,9 @@ developers can implement their own types of menu renderings by adding a custom class implementing the ``OCP\\AppFramework\\Http\\Template\\IMenuAction`` interface. As the public template is also some HTML template, the same argumentation as for :ref:`regular templates` regarding the CSRF checks hold true: -The usage of ``#[NoCSRFRequired]`` for public pages is considered acceptable and is actually needed to visit the page without an active account. +The usage of ``#[NoCSRFRequired]`` for public pages is considered acceptable for some pages: +Each page that the user should be able to directly access (by typing/pastig the URL in the browser or clicking on a link in a mail) should have this attribute set. +For multi-page forms in the second and later stages, this should **not** be set as the user should follow the series of pages. Data-based responses -------------------- diff --git a/developer_manual/digging_deeper/rest_apis.rst b/developer_manual/digging_deeper/rest_apis.rst index 40d6039e0..d633df884 100644 --- a/developer_manual/digging_deeper/rest_apis.rst +++ b/developer_manual/digging_deeper/rest_apis.rst @@ -117,7 +117,7 @@ There are different ways a clients might interact with your APIs. These ways depend on your API configuration (what you allow) and on which route the request is finally made. - *Access from web frontend* means the user is accessing the Nextcloud web frontend with a web browser. -- *Access from non-browser* is if the user accesses the resource or page using something that is not a web browser, like an Android app or a curl command.``` +- *Access from non-browser* is if the user accesses the resource or page using something that is not a web browser, like an Android app or a curl command. - *Access from external website* means that the user browses some third party web site and data from your Nextcloud server appears. The other website has to embed/load/use images, JSON data, or other resources from a URL pointing to the Nextcloud server, to be able to do this. diff --git a/developer_manual/prologue/security.rst b/developer_manual/prologue/security.rst index d0d5e5efe..836300b1a 100644 --- a/developer_manual/prologue/security.rst +++ b/developer_manual/prologue/security.rst @@ -233,7 +233,7 @@ If you are using the App Framework, every controller method is automatically che Additionally, it is advised to carefully select the HTTP method used for requests. Requests of type ``GET`` should not alter data but just read existing data. -As long as no other attack is involved, any non-``GET`` request requires at least user interaction (transmitting a form). +This way, at least no typed (or copied) URL might alter data (e.g. clicking a link from a spam mail message by accident). Unvalidated redirects ---------------------