add convention

Author: simonLeary42

CONTRIBUTING.md

@@ -22,6 +22,7 @@
   This will enable strict mode and throw an exception rather than returning `false`.
 - `UnityHTTPD`'s user-facing error functionality (ex: `badRequest`) should only be called from `webroot/**/*.php`.
   `resources/**/*.php` should throw exceptions instead.
+- all pages under `webroot/admin/` must check for `$USER->isAdmin()` and call `UnityHTTPD::forbidden()` if not admin.
 
 This repository will automatically check PRs for linting compliance.