Review Guidelines
When you submit an extension for review, the Zoho Expense team will check the extension for vulnerabilities and assess compliance with our review guidelines.
Note: The extension will be reviewed within a week from the date you submit it for review.
If the extension does not violate our guidelines, it gets approved and you can publish it in Zoho Marketplace. If the extension violates our guidelines, we will send you an email mentioning the reasons for rejecting the extension and the changes that have to be made in the extension. You will have to make the changes mentioned in the email and submit the extension for review again.
The guidelines followed by our team when reviewing an extension are listed below:
Common Guidelines
- Check the components and scripts used in the extension to ensure that no unwanted or unused components are present.
- Check that no more than 5 custom fields are used in each module.
- Check the installation and uninstallation processes for the data collected and actions performed by the extension during these processes.
- Check that the extension name does not contain the name of the product of which it is developed. For example, Twilio instead of Twilio for Zoho Expense.
Guidelines for Connections
- If an extension contains scopes, check that only the scopes that are necessary for the connection are used.
- If the authentication type is OAuth2, check that the authorize URL field contains “access_type=offline.”
- Check that the connection name is a combination of the service name and the extension name, separated by a hyphen in Pascal case. For example, ZohoExpense-Twilio.
- If individual users of an organization have to connect and authorize the connections used in the extensions, check that the value for the user access param is true.
Guidelines for Custom Scripts
- If the extension will be used in other Zoho Finance apps, check that internal SDK methods are not used.
- In the invoke URL calls, check where the data is being used, and what action is performed using the data.
- Check that the invoke call’s URL contains “api_root_endpoint”.
- Check that components are not created using scripts. If comments are used in the custom scripts, check that no personal or sensitive information are added as comments.
- Check that the script used is scalable. For instance, if data is being fetched, check that the data is retrieved only the necessary number of times.
- If the send mail param is used, check what data is sent to the developer.
Guidelines for Widgets
- If widgets are used, check that they adhere to the style used in the Zoho Expense user interface.
- Check that the widget’s data is not displayed in the console tool.
Guidelines for Global Fields
- If a global field is used in a custom script, check that the “Allow use of Global fields in this custom function” option is checked.
- If the data type of the global field is Users or Roles, and notifications are sent to the users or roles, check that the value for the is_mandatory param is true.