simple csrf protection

[laszlokorte]

Currently records (users, tags) can be deleted via GET request...

[hajo-p]

csrf won't stop that, it's up to the access control to defend such things. access control is not implemented yet, but will be before first rc is out.

[DSchalla]

That's wrong. CSRF is exactly the attack vector which avoids easily access control, since you attack with the rights of the user. @laszlokorte is correct with that.