From c0e111497e1f4eafcf70798309f54a62fe62a947 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Mon, 29 Oct 2012 14:59:48 +0100
Subject: [PATCH] Added CSRF + Auth checks

I added the CSRF and auth checks

I'm not sure if the auth checks belong there or not but I thought it may be a nice idea to have it written down somewhere.
Feel free to add your opinion!
---
 developer_manual/security.rst | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/developer_manual/security.rst b/developer_manual/security.rst
index 5dc249c85..d38ed540b 100644
--- a/developer_manual/security.rst
+++ b/developer_manual/security.rst
@@ -12,6 +12,21 @@ Blacklisted PHP functionality
 **!=** 
  Use !== instead
 **rand(), srand(), mt_rand()**
- Use openssl_random_pseudo_bytes() instead
+ If you need a cryptographical secure random number use OC_Util::generate_random_bytes() instead
 
-TBD
+CSRF protection
+-----------------------------
+Please add OC_Util::isCallRegistered() or OC_JSON::callCheck() at the top of your file to prevent Cross-site request forgery.
+
+See http://en.wikipedia.org/wiki/Cross-site_request_forgery
+
+Auth checks
+-----------------------------
+OC_Util::checkLoggedIn() or OC_JSON::checkLoggedIn()
+ Checks if the user is logged in
+OC_Util::checkAdminUser() or OC_JSON::checkAdminUser()
+ Checks if the user has admin rights
+OC_Util::checkSubAdminUser() or OC_JSON::checkSubAdminUser()
+ Checks if the user has subadmin rights
+
+TBD
\ No newline at end of file