#118 use edit token to protect against XSRF

[Lee Worden]

See http://www.mediawiki.org/wiki/Cross-site_request_forgery. A bad actor could insert a link into an email with an action like http://wiki/index.php/Special:ManageProject?project=X&ww-action=delete&action-filename=precious-file: if the receiver uses a webmail interface, say, the link would be opened with the user's credentials and the operation would be executed. If it was used as the URL in an IMG tag or something it would execute invisibly.

solution: require an edit token to be submitted with the ww-action, which makes it only work when invoked from HTML provided by the wiki.