Blocks Plugin: csrf vulnerability resolved

plugins/box/blocks/blocks.admin.php

@@ -117,9 +117,15 @@
                                 ->display();
                     break;
                     case "delete_block":
-                        File::delete($blocks_path.Request::get('filename').'.block.html');
+
-                        Notification::set('success', __('Block <i>:name</i> deleted', 'blocks', array(':name' => File::name(Request::get('filename')))));
+                        if (Security::check(Request::get('token'))) { 
-                        Request::redirect('index.php?id=blocks');
+
+                            File::delete($blocks_path.Request::get('filename').'.block.html');
+                            Notification::set('success', __('Block <i>:name</i> deleted', 'blocks', array(':name' => File::name(Request::get('filename')))));
+                            Request::redirect('index.php?id=blocks');
+
+                        } else { die('csrf detected!'); }                        
+                        
                     break;
                 }
             } else {

plugins/box/blocks/views/backend/index.view.php

@@ -23,7 +23,7 @@
         <td>            
             <?php echo Html::anchor(__('Edit', 'blocks'), 'index.php?id=blocks&action=edit_block&filename='.basename($block, '.block.html'), array('class' => 'btn btn-actions')); ?>
             <?php echo Html::anchor(__('Delete', 'blocks'),
-                      'index.php?id=blocks&action=delete_block&filename='.basename($block, '.block.html'),
+                      'index.php?id=blocks&action=delete_block&filename='.basename($block, '.block.html').'&token='.Security::token(),
                        array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete block: :block', 'blocks', array(':block' => basename($block, '.block.html')))."')"));
             ?>
         </td>