Merge tag '1.8.14' of git://github.com/Elgg/Elgg into foxglove-3

Elgg 1.8.14

Conflicts:
	mod/tinymce/vendor/tinymce/jscripts/tiny_mce/langs/en.js
	mod/tinymce/vendor/tinymce/jscripts/tiny_mce/themes/advanced/langs/en_dlg.js

1 files changed, 13 insertions, 4 deletions

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 53b185dea..f78ca63df 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -65,12 +65,11 @@ function action($action, $forwarder = "") {
 	// @todo REMOVE THESE ONCE #1509 IS IN PLACE.
 	// Allow users to disable plugins without a token in order to
 	// remove plugins that are incompatible.
-	// Login and logout are for convenience.
+	// Logout for convenience.
 	// file/download (see #2010)
 	$exceptions = array(
 		'admin/plugins/disable',
 		'logout',
-		'login',
 		'file/download',
 	);
 
@@ -252,10 +251,20 @@ function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL)
 					register_error(elgg_echo('actiongatekeeper:pluginprevents'));
 				}
 			} else if ($visibleerrors) {
-				register_error(elgg_echo('actiongatekeeper:timeerror'));
+				// this is necessary because of #5133
+				if (elgg_is_xhr()) {
+					register_error(elgg_echo('js:security:token_refresh_failed', array(elgg_get_site_url())));
+				} else {
+					register_error(elgg_echo('actiongatekeeper:timeerror'));
+				}
 			}
 		} else if ($visibleerrors) {
-			register_error(elgg_echo('actiongatekeeper:tokeninvalid'));
+			// this is necessary because of #5133
+			if (elgg_is_xhr()) {
+				register_error(elgg_echo('js:security:token_refresh_failed', array(elgg_get_site_url())));
+			} else {
+				register_error(elgg_echo('actiongatekeeper:tokeninvalid'));
+			}
 		}
 	} else {
 		if (! empty($_SERVER['CONTENT_LENGTH']) && empty($_POST)) {