Fixes #1460, Fixes #1459: Tokens are not required to disable a plugin or install...

git-svn-id: http://code.elgg.org/elgg/trunk@3836 36083f99-b078-4883-b0ff-0f9b5a30f544

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index ad5f0c208017fa04af73d4bc75ca00f4da5c7214..eafb421552c08355c125202c741f6bbeca4f9adc 100644 (file)
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -21,13 +21,23 @@
 function action($action, $forwarder = "") {
        global $CONFIG;
 
-       // All actions require a token.
-       if (!action_gatekeeper()) {
-               $message = "ERROR: $action was called without an action token and has been ignored.  This is usually caused by outdated 3rd party plugins.";
-
-               error_log($message);
-               register_error($message);
-               forward();
+       // @todo REMOVE THESE EXCEPTIONS IN 1.8.
+       // These are only to provide a way to disable plugins that overwrite core
+       // UI without tokens.  (And for installation because of session_id problems)
+       $exceptions = array(
+               'systemsettings/install',
+               'admin/plugins/disable'
+       );
+
+       if (!in_array($action, $exceptions)) {
+               // All actions require a token.
+               if (!action_gatekeeper()) {
+                       $message = "ERROR: $action was called without an action token and has been ignored.  This is usually caused by outdated 3rd party plugins.";
+
+                       error_log($message);
+                       register_error($message);
+                       forward();
+               }
        }
 
        // if there are any query parameters, make them available from get_input