Put csrf token into Admin_View and Theme_View by default, then use it

directly wherever possible instead of access::csrf_token().

6 files changed, 11 insertions, 14 deletions

diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php
index c5689e08..63b1a394 100644
--- a/modules/comment/views/admin_comments.html.php
+++ b/modules/comment/views/admin_comments.html.php
@@ -1,7 +1,7 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script type="text/javascript">
   var set_state_url =
-    "<?= url::site("admin/comments/set_state/__ID__/__STATE__?csrf=" . access::csrf_token()) ?>";
+    "<?= url::site("admin/comments/set_state/__ID__/__STATE__?csrf=$csrf") ?>";
   function set_state(state, id) {
     $.get(set_state_url.replace("__STATE__", state).replace("__ID__", id),
           {},
@@ -12,7 +12,7 @@
   }
 
   var delete_url =
-    "<?= url::site("admin/comments/delete/__ID__?csrf=" . access::csrf_token()) ?>";
+    "<?= url::site("admin/comments/delete/__ID__?csrf=$csrf") ?>";
 
   function del(id) {
     $.get(delete_url.replace("__ID__", id),
@@ -63,7 +63,7 @@
              $spam->count()) ?>
     </p>
     <p>
-      <a href="<?= url::site("admin/comments/delete_all_spam?csrf=" . access::csrf_token()) ?>">
+      <a href="<?= url::site("admin/comments/delete_all_spam?csrf=$csrf") ?>">
         <?= t("Delete all spam") ?>
       </a>
       <? else: ?>
diff --git a/modules/exif/helpers/exif_theme.php b/modules/exif/helpers/exif_theme.php
index 41eb5c76..432bca40 100644
--- a/modules/exif/helpers/exif_theme.php
+++ b/modules/exif/helpers/exif_theme.php
@@ -26,11 +26,9 @@ class exif_theme_Core {
 
       if (!empty($exif_count)) {
         $view = new View("exif_sidebar.html");
-      
-        $csrf = access::csrf_token();
-        $view->url = url::site("exif/show/{$item->id}?csrf=$csrf");
+        $view->item = $item;
         return $view;
-      } 
+      }
     }
     return null;
   }
diff --git a/modules/exif/views/exif_sidebar.html.php b/modules/exif/views/exif_sidebar.html.php
index 21f5a79b..fa482204 100644
--- a/modules/exif/views/exif_sidebar.html.php
+++ b/modules/exif/views/exif_sidebar.html.php
@@ -1,8 +1,7 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<a href="<?= $url ?>" title="<?= t("Photo Details") ?>"
+<a href="<?= url::site("exif/show/{$item->id}") ?>" title="<?= t("Photo Details") ?>"
   class="gDialogLink gButtonLink ui-icon-left ui-state-default ui-corner-all">
   <span class="ui-icon ui-icon-info"></span>
   <?= t("View more information") ?>
 </a>
 
-  
\ No newline at end of file
diff --git a/modules/server_add/views/admin_server_add.html.php b/modules/server_add/views/admin_server_add.html.php
index e37b262c..6f87c512 100644
--- a/modules/server_add/views/admin_server_add.html.php
+++ b/modules/server_add/views/admin_server_add.html.php
@@ -8,7 +8,7 @@
     <ul id="gPathList">
       <? foreach ($paths as $id => $path): ?>
       <li class="ui-icon-left">
-        <a href="<?= url::site("admin/server_add/remove_path?path=$path&csrf=" . access::csrf_token()) ?>"
+        <a href="<?= url::site("admin/server_add/remove_path?path=$path&csrf=$csrf") ?>"
            id="icon_<?= $id?>"
            class="gRemoveDir ui-icon ui-icon-trash">
           X
diff --git a/modules/tag/views/admin_tags.html.php b/modules/tag/views/admin_tags.html.php
index db51555a..48d2d0f8 100644
--- a/modules/tag/views/admin_tags.html.php
+++ b/modules/tag/views/admin_tags.html.php
@@ -5,12 +5,12 @@
     // using JS for adding link titles to avoid running t() for each tag
     $("#gTagAdmin .tag-name").attr("title", "<?= t("Click to edit this tag") ?>");
     $("#gTagAdmin .delete-link").attr("title", $(".delete-link:first span").html());
-    
+
     // In-place editing for tag admin
     $(".gEditable").bind("click", editInplace);
   });
   // make some values available within tag.js
-  var csrf_token = "<?= access::csrf_token() ?>";
+  var csrf_token = "<?= $csrf ?>";
   var save_i18n = '<?= t("save") ?>';
   var or_i18n = '<?= t("or") ?>';
   var cancel_i18n = '<?= t("cancel") ?>';
diff --git a/modules/user/views/admin_users.html.php b/modules/user/views/admin_users.html.php
index 2d30b218..67dd297d 100644
--- a/modules/user/views/admin_users.html.php
+++ b/modules/user/views/admin_users.html.php
@@ -1,6 +1,6 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script type="text/javascript">
-  var add_user_to_group_url = "<?= url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=" . access::csrf_token()) ?>";
+  var add_user_to_group_url = "<?= url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf") ?>";
   $(document).ready(function(){
     $("#gUserAdminList .core-info").draggable({
       helper: "clone"
@@ -32,7 +32,7 @@
   }
 
   var remove_user = function(user_id, group_id) {
-    var remove_user_url = "<?= url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=" . access::csrf_token()) ?>";
+    var remove_user_url = "<?= url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf") ?>";
     $.get(remove_user_url.replace("__USERID__", user_id).replace("__GROUPID__", group_id),
           {},
           function() {