Show error message if CSRF token does not matches

Print an error message for various actions in the administration area if
the security token is invalid, instead of silently preventing the user's
desired action to perform if the token is invalid for some reason.

This change applies for the delete actions on all entity types and also
for the login action and the database command execution form; the forms
for creating/modifying entities had already shown a CSRF error before.

1 files changed, 10 insertions, 6 deletions

diff --git a/admin/category/delete.php b/admin/category/delete.php
index e92387c..d7b3001 100644
--- a/admin/category/delete.php
+++ b/admin/category/delete.php
@@ -25,13 +25,17 @@ if(!$Category = $CategoryRepository->find(HTTP::GET('id'))) {
 #===============================================================================
 # Check for delete request
 #===============================================================================
-if(HTTP::issetPOST(['token' => Application::getSecurityToken()], 'delete')) {
-	try {
-		if($CategoryRepository->delete($Category)) {
-			HTTP::redirect(Application::getAdminURL('category/'));
+if(HTTP::issetPOST('delete')) {
+	if(HTTP::issetPOST(['token' => Application::getSecurityToken()])) {
+		try {
+			if($CategoryRepository->delete($Category)) {
+				HTTP::redirect(Application::getAdminURL('category/'));
+			}
+		} catch(PDOException $Exception) {
+			$messages[] = $Exception->getMessage();
 		}
-	} catch(PDOException $Exception) {
-		$messages[] = $Exception->getMessage();
+	} else {
+		$messages[] = $Language->text('error_security_csrf');
 	}
 }