khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2025-12-12 07:29:47 +07:00
Code Issues Packages Projects Releases Wiki Activity

Added content from suggestions

Browse Source 
Signed-off-by: Christian Wolf <github@christianwolf.email>
This commit is contained in:
Christian Wolf
2025-09-26 20:52:10 +02:00
parent 66d1f61345
commit 179d774357
3 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
developer_manual/basics/controllers.rst
View File

@@ -439,7 +439,9 @@ developers can implement their own types of menu renderings by adding a custom
class implementing the ``OCP\\AppFramework\\Http\\Template\\IMenuAction`` interface. class implementing the ``OCP\\AppFramework\\Http\\Template\\IMenuAction`` interface.
As the public template is also some HTML template, the same argumentation as for :ref:`regular templates<controller_template>` regarding the CSRF checks hold true: As the public template is also some HTML template, the same argumentation as for :ref:`regular templates<controller_template>` regarding the CSRF checks hold true:
The usage of ``#[NoCSRFRequired]`` for public pages is considered acceptable and is actually needed to visit the page without an active account. The usage of ``#[NoCSRFRequired]`` for public pages is considered acceptable for some pages:
Each page that the user should be able to directly access (by typing/pastig the URL in the browser or clicking on a link in a mail) should have this attribute set.
For multi-page forms in the second and later stages, this should **not** be set as the user should follow the series of pages.
Data-based responses Data-based responses
-------------------- --------------------

2
developer_manual/digging_deeper/rest_apis.rst
View File

@@ -117,7 +117,7 @@ There are different ways a clients might interact with your APIs.
These ways depend on your API configuration (what you allow) and on which route the request is finally made. These ways depend on your API configuration (what you allow) and on which route the request is finally made.
- *Access from web frontend* means the user is accessing the Nextcloud web frontend with a web browser. - *Access from web frontend* means the user is accessing the Nextcloud web frontend with a web browser.
- *Access from non-browser* is if the user accesses the resource or page using something that is not a web browser, like an Android app or a curl command.``` - *Access from non-browser* is if the user accesses the resource or page using something that is not a web browser, like an Android app or a curl command.
- *Access from external website* means that the user browses some third party web site and data from your Nextcloud server appears. - *Access from external website* means that the user browses some third party web site and data from your Nextcloud server appears.
The other website has to embed/load/use images, JSON data, or other resources from a URL pointing to the Nextcloud server, to be able to do this. The other website has to embed/load/use images, JSON data, or other resources from a URL pointing to the Nextcloud server, to be able to do this.

2
developer_manual/prologue/security.rst
View File

@@ -233,7 +233,7 @@ If you are using the App Framework, every controller method is automatically che
Additionally, it is advised to carefully select the HTTP method used for requests. Additionally, it is advised to carefully select the HTTP method used for requests.
Requests of type ``GET`` should not alter data but just read existing data. Requests of type ``GET`` should not alter data but just read existing data.
As long as no other attack is involved, any non-``GET`` request requires at least user interaction (transmitting a form). This way, at least no typed (or copied) URL might alter data (e.g. clicking a link from a spam mail message by accident).
Unvalidated redirects Unvalidated redirects
--------------------- ---------------------