Merge pull request #9363 from nextcloud/backport/9359/stable25

[stable25] Document when to use the NoTwoFactorRequired annotation
nextcloud · Nov 14, 2022 · a48cded · a48cded
2 parents d0e7904 + 0d7496a
commit a48cded
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/developer_manual/basics/controllers.rst b/developer_manual/basics/controllers.rst
@@ -770,15 +770,17 @@ By default every controller method enforces the maximum security, which is:
 
 * Ensure that the user is admin
 * Ensure that the user is logged in
+* Ensure that the user has passed the two-factor challenge, if applicable
 * Check the CSRF token
 
 Most of the time though it makes sense to also allow normal users to access the page and the PageController->index() method should not check the CSRF token because it has not yet been sent to the client and because of that can't work.
 
 To turn off checks the following *Annotations* can be added before the controller:
 
 * **@NoAdminRequired**: Also users that are not admins can access the page
-* **@NoCSRFRequired**: Don't check the CSRF token (use this wisely since you might create a security hole; to understand what it does see `CSRF in the security section <../prologue/security.html#cross-site-request-forgery>`__)
 * **@PublicPage**: Everyone can access the page without having to log in
+* **@NoTwoFactorRequired**: A user can access the page before the two-factor challenge has been passed (use this wisely and only in two-factor auth apps, e.g. to allow setup during login)
+* **@NoCSRFRequired**: Don't check the CSRF token (use this wisely since you might create a security hole; to understand what it does see `CSRF in the security section <../prologue/security.html#cross-site-request-forgery>`__)
 
 A controller method that turns off all checks would look like this: