* add (disabled) shortcut syntax for plugin methods

* add controls shortcut for pluginhandler tags
 * add similar shortcut for frontend
 * allow plugins to selectively exclude their methods from CSRF checking

classes/plugin.php

@@ -54,4 +54,8 @@ abstract class Plugin {
 
 		return vsprintf($this->__($msgid), $args);
 	}
+
+	function csrf_ignore($method) {
+		return false;
+	}
 }

classes/pluginhandler.php

@@ -11,7 +11,7 @@ class PluginHandler extends Handler_Protected {
 
 		if ($plugin) {
 			if (method_exists($plugin, $method)) {
-				if (validate_csrf($csrf_token)) {
+				if (validate_csrf($csrf_token) || $plugin->csrf_ignore($method)) {
 					$plugin->$method();
 				} else {
 					user_error("Rejected ${plugin_name}->${method}(): invalid CSRF token.", E_USER_WARNING);

classes/pluginhost.php

@@ -611,6 +611,17 @@ class PluginHost {
 					$params));
 	}
 
+	// shortcut syntax (disabled for now)
+	/* function get_method_url(Plugin $sender, string $method, $params)  {
+		return get_self_url_prefix() . "/backend.php?" .
+			http_build_query(
+				array_merge(
+					[
+						"op" => strtolower(get_class($sender) . self::PUBLIC_METHOD_DELIMITER . $method),
+					],
+					$params));
+	} */
+
 	// WARNING: endpoint in public.php, exposed to unauthenticated users
 	function get_public_method_url(Plugin $sender, string $method, $params)  {
 		if ($sender->is_public_method($method)) {
@@ -618,7 +629,7 @@ class PluginHost {
 				http_build_query(
 					array_merge(
 						[
-							"op" => strtolower(get_class($sender) . PluginHost::PUBLIC_METHOD_DELIMITER . $method),
+							"op" => strtolower(get_class($sender) . self::PUBLIC_METHOD_DELIMITER . $method),
 						],
 						$params));
 		} else {