e-token check method returns now boolean; comments e-token check refined

e107_handlers/comment_class.php

@@ -340,6 +340,7 @@ class comment
 
 	/**
 	 * Add a comment to an item
+	 * e-token POST value should be always valid when using this method.
 	 *
 	 * @param unknown_type $author_name
 	 * @param unknown_type $comment
@@ -363,7 +364,8 @@ class comment
 
 		if ($this->getCommentPermissions() != 'rw') return;
 
-		e107::getSession()->check();			// This will abort on error
+		if(!isset($_POST['e-token'])) $_POST['e-token'] = '';		// check posted token
+		if(!e107::getSession()->check(false)) return false;			// This will return false on error
 
 		if (isset($_GET['comment']) && $_GET['comment'] == 'edit')
 		{

e107_handlers/session_handler.php

@@ -798,15 +798,16 @@ class e_core_session extends e_session
 	/**
 	 * Core CSF protection, see class2.php
 	 * Could be adopted by plugins for their own (different) protection logic
-	 * @return e_core_session
+	 * @param boolean $die
+	 * @return boolean
 	 */
-	public function check()
+	public function check($die = true)
 	{
 		// define('e_TOKEN_NAME', 'e107_token_'.md5($_SERVER['HTTP_HOST'].e_HTTP));
 		// TODO e-token required for all system forms?
 		
 		// only if not disabled and not in 'cli' mod
-		if(e_SECURITY_LEVEL < e_session::SECURITY_LEVEL_BALANCED || e107::getE107('cli')) return $this;
+		if(e_SECURITY_LEVEL < e_session::SECURITY_LEVEL_BALANCED || e107::getE107('cli')) return true;
 		
 		if($this->getSessionId())
 		{
@@ -829,7 +830,8 @@ class e_core_session extends e_session
 					e107::getAdminLog()->log_event('Unauthorized access!', $details, E_LOG_FATAL);				
 				}	
 				// do not redirect, prevent dead loop, save server resources
-				die('Unauthorized access!');
+				if($die) die('Unauthorized access!');
+				return false;
 			}
 		}
 		
@@ -849,7 +851,7 @@ class e_core_session extends e_session
 			}
 			define('e_TOKEN', $this->getFormToken());
 		}
-		return $this;
+		return true;
 	}
 	
 	/**