From d56d97a4395a481db4818f7c28774c46b4d7d0d4 Mon Sep 17 00:00:00 2001
From: Mikael Nordfeldth <mmn@hethane.se>
Date: Sun, 18 May 2014 20:19:05 +0200
Subject: [PATCH] Only POST Form widgets send a session token.

---
 lib/form.php       | 4 +++-
 lib/searchform.php | 5 -----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/lib/form.php b/lib/form.php
index 6a181f7951..ee97f7a32f 100644
--- a/lib/form.php
+++ b/lib/form.php
@@ -91,7 +91,9 @@ class Form extends Widget
 
     function sessionToken()
     {
-        $this->out->hidden('token-' . $this->id() ?: common_random_hexstr(3), common_session_token(), 'token');
+        if (strtolower($this->method()) == 'post') {
+            $this->out->hidden('token-' . $this->id() ?: common_random_hexstr(3), common_session_token(), 'token');
+        }
     }
 
     /**
diff --git a/lib/searchform.php b/lib/searchform.php
index 02ccbc302d..9d6b40e363 100644
--- a/lib/searchform.php
+++ b/lib/searchform.php
@@ -106,9 +106,4 @@ class SearchForm extends Form
     {
         return 'get';
     }
-
-    function sessionToken()
-    {
-        return;
-    }
 }