Testing CSRF from admin login, if works well then we will make it official

system/controllers/admin.php

@@ -23,6 +23,11 @@ switch ($do) {
     case 'post':
         $username = _post('username');
         $password = _post('password');
+        //csrf token
+        $csrf_token = _post('csrf_token');
+        if (!Csrf::check($csrf_token)) {
+            _alert(Lang::T('Invalid CSRF Token') . ".", 'danger', "admin");
+        }
         run_hook('admin_login'); #HOOK
         if ($username != '' and $password != '') {
             $d = ORM::for_table('tbl_users')->where('username', $username)->find_one();
@@ -56,6 +61,8 @@ switch ($do) {
         break;
     default:
         run_hook('view_login'); #HOOK
+        $csrf_token = Csrf::generateAndStoreToken();
+        $ui->assign('csrf_token', $csrf_token);
         $ui->display('admin-login.tpl');
         break;
 }

ui/ui/admin-login.tpl

@@ -24,6 +24,7 @@
                 {$notify}
             {/if}
             <form action="{$_url}admin/post" method="post">
+                <input type="hidden" name="csrf_token" value="{$csrf_token}">
                 <div class="form-group has-feedback">
                     <input type="text" required class="form-control" name="username" placeholder="{Lang::T('Username')}">
                     <span class="glyphicon glyphicon-user form-control-feedback"></span>