khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-02 09:49:33 +07:00
Code Issues Packages Projects Releases Wiki Activity

Make CSRF check clearer

Browse Source 
Signed-off-by: Christian Wolf <github@christianwolf.email>
This commit is contained in:
Christian Wolf
2025-02-28 14:00:32 +01:00
parent bc321ab0d1
commit 9388034295
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
developer_manual/basics/controllers.rst
View File

@@ -799,7 +799,10 @@ By default every controller method enforces the maximum security, which is:
* Ensure that the user is admin
* Ensure that the user is logged in
* Ensure that the user has passed the two-factor challenge, if applicable
* Check the CSRF token
* Ensure the request is no CSRF attack, that is at least one of the following:
- Ensure the CSRF token is present and valid
- Ensure the ``OCS-APIRequest`` header is present and set to ``true`` [1]_
Loosening the default restrictions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -1023,3 +1026,5 @@ The following policy for instance allows images, audio and videos from other dom
---
.. [1] Even though the header name ``OCS-APIRequest`` hints purely at OCS controllers, with NC 30 classic controller methods respect this header as well.
Until NC 30, classical controller methods did not respect the header.