update comment for avatar csrf, and add csrf token check to permission page

src/messenger/webim/operator/permissions.php

@@ -23,6 +23,7 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/operator_settings.php');
 
+csrfchecktoken();
 $operator = check_login();
 
 function update_operator_permissions($operatorid, $newvalue)
@@ -89,4 +90,4 @@ prepare_menu($operator);
 setup_operator_settings_tabs($opId, 3);
 start_html_output();
 require('../view/permissions.php');
-?>
+?>

src/messenger/webim/view/avatar.php

@@ -36,7 +36,10 @@ require_once('inc_errors.php');
 ?>
 
 <form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data">
+
+<!-- add csrf token -->
 <?php print_csrf_token_input() ?>
+
 <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>

src/messenger/webim/view/permissions.php

@@ -39,6 +39,10 @@ require_once('inc_errors.php');
 <?php } ?>
 
 <form name="permissionsForm" method="post" action="<?php echo $webimroot ?>/operator/permissions.php">
+
+<!-- add csrf token -->
+<?php print_csrf_token_input() ?>
+
 <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>
@@ -67,4 +71,4 @@ require_once('inc_errors.php');
 } /* content */
 
 require_once('inc_main.php');
-?>
+?>