mirror of
https://github.com/nextcloud/documentation.git
synced 2026-01-03 02:09:45 +07:00
c0e111497e
I added the CSRF and auth checks I'm not sure if the auth checks belong there or not but I thought it may be a nice idea to have it written down somewhere. Feel free to add your opinion!
32 lines
938 B
ReStructuredText
32 lines
938 B
ReStructuredText
Security
|
|
========
|
|
|
|
Blacklisted PHP functionality
|
|
-----------------------------
|
|
**echo, print(), <?=**
|
|
Use $this->p in templates instead
|
|
**error_log**
|
|
Use throw new Exception("Description") instead
|
|
**==**
|
|
Use === instead
|
|
**!=**
|
|
Use !== instead
|
|
**rand(), srand(), mt_rand()**
|
|
If you need a cryptographical secure random number use OC_Util::generate_random_bytes() instead
|
|
|
|
CSRF protection
|
|
-----------------------------
|
|
Please add OC_Util::isCallRegistered() or OC_JSON::callCheck() at the top of your file to prevent Cross-site request forgery.
|
|
|
|
See http://en.wikipedia.org/wiki/Cross-site_request_forgery
|
|
|
|
Auth checks
|
|
-----------------------------
|
|
OC_Util::checkLoggedIn() or OC_JSON::checkLoggedIn()
|
|
Checks if the user is logged in
|
|
OC_Util::checkAdminUser() or OC_JSON::checkAdminUser()
|
|
Checks if the user has admin rights
|
|
OC_Util::checkSubAdminUser() or OC_JSON::checkSubAdminUser()
|
|
Checks if the user has subadmin rights
|
|
|
|
TBD |