Updated Code Security Guidelines (markdown)

Code-Security-Guidelines.md

@@ -121,4 +121,23 @@ Example:
 @frappe.whitelist()
 def get_file(path):
     return open(path).read()  # This allows reading everything on server.
+```
+
+
+
+## Apply permissions by default
+
+- Use `frappe.get_list` instead of `frappe.get_all` to ensure user can only read what they have permission to.
+- `document.save`, `document.insert`, `document.submit` etc all check for permission. So you don't have to do anything special here. 
+- `frappe.get_doc` doesn't check for permission by default, so if you're sending a document to user make sure you check permissions using `doc.check_permission("read")`
+
+
+Example:
+
+```diff
+  @frappe.whitelist()
+  def better_get_doc(doctype, name):
+      doc = frappe.get_doc(doctype, name)  # This allows bypassing all permission and reading every document in system
++     doc.check_permission("read")  # this makes sure logged in user has correct permission to read the document
+      return doc
 ```