Skip to content

Restructure significant part of the controller documentation #12549

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
provokateurin merged 23 commits into from
Feb 28, 2025
Merged

Restructure significant part of the controller documentation #12549

Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
e398993
First create some structure to fill in the content in next commits
christianlupus Jan 29, 2025
2f1bc35
Move section html templates
christianlupus Feb 28, 2025
9e95840
Moved section public html templates
christianlupus Feb 28, 2025
af0cad8
Move section OCS
christianlupus Feb 28, 2025
578cbce
Move section JSON
christianlupus Feb 28, 2025
e58d1ff
Move section Responders
christianlupus Feb 28, 2025
1693e6e
Moving section handling errors
christianlupus Feb 28, 2025
24e4e6b
Moving section Authentication
christianlupus Feb 28, 2025
30c5183
Move section Content security policy
christianlupus Feb 28, 2025
c2040e8
Moving section Redirects
christianlupus Feb 28, 2025
0ac03ca
Move section Downloads
christianlupus Feb 28, 2025
ef9fb32
Move section custom responses
christianlupus Feb 28, 2025
ef54c9e
Move section Streamed/lazily rendered Content
christianlupus Feb 28, 2025
7d41100
Move section Rate Limiting
christianlupus Feb 28, 2025
27c0ce5
Move section brute-force protection
christianlupus Feb 28, 2025
0935fa8
Adding some introductions to new chapter structure
christianlupus Feb 28, 2025
bc321ab
Update some texts to reflect current situation better
christianlupus Feb 28, 2025
9388034
Make CSRF check clearer
christianlupus Feb 28, 2025
d3348cd
Add more examples in the Authentication section
christianlupus Feb 28, 2025
e2b2504
Fix some minor punctuation
christianlupus Feb 28, 2025
17043e2
Update routing file
christianlupus Feb 28, 2025
5435dcd
Apply suggestions from code review
christianlupus Feb 28, 2025
b8b0411
Apply suggestions from code review
christianlupus Feb 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions developer_manual/basics/controllers.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -825,6 +825,77 @@ To turn off checks the following *Attributes* can be added before the controller
* ``@NoTwoFactorRequired``` instead of ``#[NoTwoFactorRequired]``
* ``@NoCSRFRequired``` instead of ``#[NoCSRFRequired]``

In the following some examples of configurations are given.

Showing an HTML page by the user
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A typical app needs an ``index.html`` page to show all content within.
This page should be visible by all users in the instance.
Therefore, you need to loosen the restriction from admins only (``#[NoAdminRequired]``).
Additionally, as the user might not have a CSRF checker cookie set yet, the CSRF checks should be disabled (which is fine as this is a template response).

.. code-block:: php

<?php
namespace OCA\MyApp\Controller;

use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
use OCP\AppFramework\Http\Attribute\PublicPage;

class PageController extends Controller {

#[NoCSRFRequired]
#[NoAdminRequired]
public function index(): TemplateResponse {
return new TemplateResponse($this->appName, 'main');
}

}

If the page should only be visible to the admin, you can keep the restrictive default by omitting the attribute ``#[NoAdminRequired]``.

Getting data from the backend using AJAX requests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data for the frontend needs to be made available from the backend.
Here, OCS is the suggested way to go.
Here is the example from :ref:`OCS controllers <ocscontroller>`:

.. code-block:: php

<?php
namespace OCA\MyApp\Controller;

use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\Http\Attribute\NoAdminRequired;
use OCP\AppFramework\OCSController;

class ShareController extends OCSController {

#[NoAdminRequired]
public function getShares(): DataResponse {
return new DataResponse([
// Your data here
]);
}

}

The ``#[NoAdminRequired]`` is needed here as normal users should be able to access the data in fact.
It can be left out in case only the admin user should be able to access the data.
The CSRF check is still active.
Thus, the client must obey the corresponding requirements.

Completely disabled authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. warning::
This is a security issue if the side-effects are not carefully considered.
You should only use this for public pages that anyone is allowed to access.

A controller method that turns off all checks would look like this:

.. code-block:: php
Expand Down