luci-app-radicale: protect start/stop actions with csrf token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

applications/luci-app-radicale/luasrc/controller/radicale.lua

@@ -15,7 +15,7 @@ function index()
 	entry( {"admin", "services", "radicale"}, alias("admin", "services", "radicale", "edit"), _("CalDAV/CardDAV"), 58)
 	entry( {"admin", "services", "radicale", "edit"}, cbi("radicale") ).leaf = true
 	entry( {"admin", "services", "radicale", "logview"}, call("_logread") ).leaf = true
-	entry( {"admin", "services", "radicale", "startstop"}, call("_startstop") ).leaf = true
+	entry( {"admin", "services", "radicale", "startstop"}, post("_startstop") ).leaf = true
 	entry( {"admin", "services", "radicale", "status"}, call("_status") ).leaf = true
 end
 

applications/luci-app-radicale/luasrc/view/radicale/btn_startstop.htm

@@ -21,7 +21,7 @@
 	function onclick_startstop(id) {
 		// do start/stop
 		var btnXHR = new XHR();
-		btnXHR.get('<%=url('admin/services/radicale/startstop')%>', null,
+		btnXHR.post('<%=url('admin/services/radicale/startstop')%>', { token: '<%=token%>' },
 			function(x) { _data2elements(x); }
 		);
 	}