Added CSRF + Auth checks

I added the CSRF and auth checks I'm not sure if the auth checks belong there or not but I thought it may be a nice idea to have it written down somewhere. Feel free to add your opinion!
2026-01-03 10:20:02 +07:00 · 2012-10-29 14:59:48 +01:00
parent c3f9fa711a
commit c0e111497e
1 changed files with 17 additions and 2 deletions
--- a/developer_manual/security.rst
+++ b/developer_manual/security.rst
@@ -12,6 +12,21 @@ Blacklisted PHP functionality
 **!=** 
 Use !== instead
 **rand(), srand(), mt_rand()**
- Use openssl_random_pseudo_bytes() instead
+ If you need a cryptographical secure random number use OC_Util::generate_random_bytes() instead

-TBD
+CSRF protection
+-----------------------------
+Please add OC_Util::isCallRegistered() or OC_JSON::callCheck() at the top of your file to prevent Cross-site request forgery.
+
+See http://en.wikipedia.org/wiki/Cross-site_request_forgery
+
+Auth checks
+-----------------------------
+OC_Util::checkLoggedIn() or OC_JSON::checkLoggedIn()
+ Checks if the user is logged in
+OC_Util::checkAdminUser() or OC_JSON::checkAdminUser()
+ Checks if the user has admin rights
+OC_Util::checkSubAdminUser() or OC_JSON::checkSubAdminUser()
+ Checks if the user has subadmin rights
+
+TBD