Add "Don't allow creation of arbitrary documents via web request"

Code-Security-Guidelines.md

@@ -36,3 +36,28 @@ If for some reason, you have to use `.format` to build your queries, make sure t
 result = frappe.db.sql('select first_name from tabUser where name={}'.format(frappe.db.escape(user)))
 ```
 
+## Don't allow creation of arbitrary documents via web request
+
+Let's say you have created an API method `create_document`:
+
+**api.py**
+```
+def create_document(values):
+  doc = frappe.get_doc(values).insert(ignore_permissions=True)
+  return doc
+```
+
+This looks like a simple helper at first, but it allows a user to create **any** document on the site, since it bypasses the permissions check. Make sure to add additional checks if you really want arbitrary document creation.
+
+You can use a combination of `frappe.only_for` method to restrict the method to System Managers and some manual checks. For e.g.,
+
+```
+def create_document(values):
+  frappe.only_for('System User')
+  
+  if values['doctype'] not in ('ToDo', 'Note', 'Task'):
+    frappe.throw('Invalid Document Type')
+
+  doc = frappe.get_doc(values).insert(ignore_permissions=True)
+  return doc
+```