EONE-62 (New Feature): Introducing user tokens (token logic could change in the future);

init_session automated user token check (POST or GET);
new referal e_form method (hidden field with proper user token value);
Admin UI protects now all its forms;

e107_handlers/user_model.php

@@ -183,6 +183,17 @@ class e_user_model extends e_front_model
 		return ($this->isAdmin() ? $this->get('user_perms') : false);
 	}
 
+	public function getToken()
+	{
+		if($this->isUser()) return '';
+
+		if(null === $this->get('user_token'))
+		{
+			$this->set('user_token', md5($this->get('user_password').$this->get('user_lastvisit').$this->get('user_pwchange').$this->get('user_class')));
+		}
+		return $this->get('user_token');
+	}
+
 	public function isCurrent()
 	{
 		return false;
@@ -294,10 +305,21 @@ class e_user_model extends e_front_model
 		return $editor->isAdmin();
 	}
 
+	/**
+	 * Check passed value against current user token
+	 * @param string $token md5 sum of e.g. posted token
+	 * @return boolean
+	 */
+	final public function checkToken($token)
+	{
+		$utoken = $this->getToken();
+		return (null !== $utoken && $token === md5($utoken));
+	}
+
 	/**
 	 * Bad but required (BC) method of retrieving all user data
 	 * It's here to be used from get_user_data() core function.
-	 * DON'T USE IT unless you have VERY good reason to do it.
+	 * DON'T USE THEM BOTH unless you have VERY good reason to do it.
 	 *
 	 * @return array
 	 */