A simple function like this would be helpfull in the core:

function get_security_token_str(){
        $ts = time();
        $token = generate_action_token($ts);
        $string = "?__elgg_token={$token}&__elgg_ts={$ts}";
        return $string;
    }

Maybe there is already a similar one, but I couldn't find it. It would make adding action tokens to links a bit easier.

Good job, Vazco. Maybe you can offer a patch?

@vazco - I checked here: http://docs.elgg.org/wiki/Actions#Security and there is something similar: elgg_validate_action_url()

I don't know about you but I find the function name a little confusing. I expect a function with "validate" in it to return a true/false. If other developers feel the same, we can probably suggest a different function name.

@Yakiv - you are correct that you will get an error if you try to log out on a stale page. I have also never seen another application use CSRF protection on the logout action. I agree that it seems odd.

@Blue - works for me. Make sure you are testing with the default theme. If themes overrode views that include the action security, they will need to be upgraded.

Re: old files

Brett's change (a version with this change is here: http://elgg.org/download/nightly/elgg-20100210.zip) only applies to library files in /engine/lib/. Previously, the directory was scanned and all php files were loaded. This meant old library files were being loaded. Brett added a list of files in /engine/start.php that is used to load the library files.

If you'd like to delete your old files and start with your new files: delete all files except /engine/settings.php [Edit - I had the wrong file there before!] (and backup .htaccess if you made any changes to it). Copy the new files. Hit the site (which creates a new .htaccess file if given permissions) and if needed, update the .htaccess with any changes from the default one. 

Overall, it really shouldn't matter if old files are lying around.

Upgrading Elgg Installs

I have upgraded a production site from 1.1 to 1.2 to 1.5 to 1.6 without any database difficulty. I always try it first on a cloned version of the database.

I have also moved the database to a different production server once and restored it from a backup once due to a failure.

The upgrade process is solid from my experience. Most people run into throuble with themes and plugins that break. 1.6 was particularly troublesome because it used a different version of jQuery.

@Cash, I have fixed the check mark display issue, for Opera. I have contributed the code back, on the ticket page.  But, here's basically the code, for fixing the check boxes:

input[type="checkbox"] {
    margin:0;
    padding:0;
    border:none;
    -opera-height:22px;
    -opera-width:22px;
}

I put that code into the css.php in /views/default/ under the following section:

/* ***************************************
    GENERAL FORM ELEMENTS
*************************************** */

It takes care of Opera and Firefox, IE and Safari are just fine.  ...Feel free to tweak it more, if you want, but that's how to get at it.

Something occurred to me and so I pursued this as a possible fix. I remembered that Opera doesn't properly display animated gifs that are smaller than 20pixels by 20pixels.  So, it occurred to me to set the height and width for this form element, for Opera.  And it worked!

There are two groups:river:member items in /elgg/mod/groups/languages/en.php, Is it a small bug?

@Cash

Yes, it was exactly caused by my own theme. Thanks!