Fixes #1460, Fixes #1459: Tokens are not required to disable a plugin or install. This allows users to disable plugins that overwrite admin pages without tokens.

git-svn-id: http://code.elgg.org/elgg/trunk@3836 36083f99-b078-4883-b0ff-0f9b5a30f544

1 files changed, 17 insertions, 7 deletions

diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index ad5f0c208..eafb42155 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -21,13 +21,23 @@
 function action($action, $forwarder = "") {
 	global $CONFIG;
 
-	// All actions require a token.
-	if (!action_gatekeeper()) {
-		$message = "ERROR: $action was called without an action token and has been ignored.  This is usually caused by outdated 3rd party plugins.";
-
-		error_log($message);
-		register_error($message);
-		forward();
+	// @todo REMOVE THESE EXCEPTIONS IN 1.8.
+	// These are only to provide a way to disable plugins that overwrite core
+	// UI without tokens.  (And for installation because of session_id problems)
+	$exceptions = array(
+		'systemsettings/install',
+		'admin/plugins/disable'
+	);
+
+	if (!in_array($action, $exceptions)) {
+		// All actions require a token.
+		if (!action_gatekeeper()) {
+			$message = "ERROR: $action was called without an action token and has been ignored.  This is usually caused by outdated 3rd party plugins.";
+
+			error_log($message);
+			register_error($message);
+			forward();
+		}
 	}
 
 	// if there are any query parameters, make them available from get_input