From 5d9e35a3edd7e54b6335ee1ccaba8230039af45e Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Mon, 14 Sep 2009 01:56:24 +0000
Subject: [PATCH] Fix: CSRF protection is enabled only if MAIN_SECURITY_CSRF is
 set.

---
 htdocs/main.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 382c1fc2507..24b0a7515b1 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -201,13 +201,13 @@ if (! defined('NOTOKENRENEWAL'))
 	if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
 	$_SESSION['newtoken'] = $token;
 }
-if (empty($conf->global->MAIN_FEATURES_LEVEL))	// Check validity of token, only if not a dev instance (this make developper tests no more working)
+if (! empty($conf->global->MAIN_SECURITY_CSRF))	// Check validity of token, only if not option enabled (this option breaks some features sometimes)
 {
 	if (isset($_POST['token']) && isset($_SESSION['token']))
 	{
 		if (($_POST['token'] != $_SESSION['token']))
 		{
-			dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".$_POST['action'].", _POST['token']=".$_POST['token'].", _SESSION['token']=".$_SESSION['token']);
+			dol_syslog("Invalid token in ".$_SERVER['HTTP_REFERER'].", action=".$_POST['action'].", _POST['token']=".$_POST['token'].", _SESSION['token']=".$_SESSION['token'],LOG_WARNING);
 			//print 'Unset POST by CSRF protection in main.inc.php.';	// Do not output anything because this create problems when using the BACK button on browsers.
 			unset($_POST);
 		}