diff --git a/custom/panel_templates/Default/core/widgets.tpl b/custom/panel_templates/Default/core/widgets.tpl
index 1e903dc808..910fc7e91a 100644
--- a/custom/panel_templates/Default/core/widgets.tpl
+++ b/custom/panel_templates/Default/core/widgets.tpl
@@ -49,10 +49,16 @@
diff --git a/modules/Core/pages/panel/widgets.php b/modules/Core/pages/panel/widgets.php
index 2c494eb83a..5b17088d39 100644
--- a/modules/Core/pages/panel/widgets.php
+++ b/modules/Core/pages/panel/widgets.php
@@ -66,27 +66,30 @@
// Enable a widget
if (!isset($_GET['w']) || !is_numeric($_GET['w'])) die('Invalid widget!');
- // Get widget name
- $name = $queries->getWhere('widgets', array('id', '=', $_GET['w']));
-
- if (count($name)) {
- $name = Output::getClean($name[0]->name);
- $widget = $widgets->getWidget($name);
-
- if (!is_null($widget)) {
- $queries->update(
- 'widgets',
- $_GET['w'],
- array(
- 'enabled' => 1
- )
- );
-
- $widgets->enable($widget);
-
- Session::flash('admin_widgets', $language->get('admin', 'widget_enabled'));
+ if (Token::check($_POST['token'])) {
+ // Get widget name
+ $name = $queries->getWhere('widgets', array('id', '=', $_GET['w']));
+
+ if (count($name)) {
+ $name = Output::getClean($name[0]->name);
+ $widget = $widgets->getWidget($name);
+
+ if (!is_null($widget)) {
+ $queries->update(
+ 'widgets',
+ $_GET['w'],
+ array(
+ 'enabled' => 1
+ )
+ );
+
+ $widgets->enable($widget);
+
+ Session::flash('admin_widgets', $language->get('admin', 'widget_enabled'));
+ }
}
- }
+
+ } else Session::flash('admin_widgets_error', $language->get('general', 'invalid_token'));
Redirect::to(URL::build('/panel/core/widgets'));
die();
@@ -96,26 +99,29 @@
die('Invalid widget!');
}
- // Get widget name
- $name = $queries->getWhere('widgets', array('id', '=', $_GET['w']));
- if (count($name)) {
- $name = Output::getClean($name[0]->name);
- $widget = $widgets->getWidget($name);
-
- if (!is_null($widget)) {
- $queries->update(
- 'widgets',
- $_GET['w'],
- array(
- 'enabled' => 0
- )
- );
-
- $widgets->disable($widget);
-
- Session::flash('admin_widgets', $language->get('admin', 'widget_disabled'));
+ if (Token::check($_POST['token'])) {
+ // Get widget name
+ $name = $queries->getWhere('widgets', array('id', '=', $_GET['w']));
+ if (count($name)) {
+ $name = Output::getClean($name[0]->name);
+ $widget = $widgets->getWidget($name);
+
+ if (!is_null($widget)) {
+ $queries->update(
+ 'widgets',
+ $_GET['w'],
+ array(
+ 'enabled' => 0
+ )
+ );
+
+ $widgets->disable($widget);
+
+ Session::flash('admin_widgets', $language->get('admin', 'widget_disabled'));
+ }
}
- }
+
+ } else Session::flash('admin_widgets_error', $language->get('general', 'invalid_token'));
Redirect::to(URL::build('/panel/core/widgets'));
die();
@@ -250,6 +256,10 @@
$success = Session::flash('admin_widgets');
}
+if (Session::exists('admin_widgets_error')) {
+ $errors = [Session::flash('admin_widgets_error')];
+}
+
if (isset($success)) {
$smarty->assign(
array(