From 1ba101bd5cfae6f35ec66e7f7743c1f57959ebb3 Mon Sep 17 00:00:00 2001
From: Faris Ansari <netchampfaris@users.noreply.github.com>
Date: Fri, 19 Mar 2021 13:21:54 +0530
Subject: [PATCH] Add "Don't allow creation of arbitrary documents via web
 request"

---
 Code-Security-Guidelines.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/Code-Security-Guidelines.md b/Code-Security-Guidelines.md
index 446ba7e..734f206 100644
--- a/Code-Security-Guidelines.md
+++ b/Code-Security-Guidelines.md
@@ -36,3 +36,28 @@ If for some reason, you have to use `.format` to build your queries, make sure t
 result = frappe.db.sql('select first_name from tabUser where name={}'.format(frappe.db.escape(user)))
 ```
 
+## Don't allow creation of arbitrary documents via web request
+
+Let's say you have created an API method `create_document`:
+
+**api.py**
+```
+def create_document(values):
+  doc = frappe.get_doc(values).insert(ignore_permissions=True)
+  return doc
+```
+
+This looks like a simple helper at first, but it allows a user to create **any** document on the site, since it bypasses the permissions check. Make sure to add additional checks if you really want arbitrary document creation.
+
+You can use a combination of `frappe.only_for` method to restrict the method to System Managers and some manual checks. For e.g.,
+
+```
+def create_document(values):
+  frappe.only_for('System User')
+  
+  if values['doctype'] not in ('ToDo', 'Note', 'Task'):
+    frappe.throw('Invalid Document Type')
+
+  doc = frappe.get_doc(values).insert(ignore_permissions=True)
+  return doc
+```
\ No newline at end of file