horde · TDannhauer · Jun 19, 2026 · Jun 19, 2026 · Jun 19, 2026
diff --git a/lib/Horde/Core/Block/Collection.php b/lib/Horde/Core/Block/Collection.php
@@ -87,11 +87,17 @@ public function getLayout()
     /**
      * Return the layout manager for this collection.
      *
+     * @param Horde_Session|null $session  Session for CSRF token checks.
+     *
      * @return Horde_Core_Block_Layout_Manager  Layout manager object.
      */
-    public function getLayoutManager()
+    public function getLayoutManager(?Horde_Session $session = null)
     {
-        return new Horde_Core_Block_Layout_Manager($this);
+        if ($session === null && isset($GLOBALS['injector'])) {
+            $session = $GLOBALS['injector']->getInstance('Horde_Session');
+        }
+
+        return new Horde_Core_Block_Layout_Manager($this, $session);
     }
 
     /**

diff --git a/lib/Horde/Core/Block/Layout/Manager.php b/lib/Horde/Core/Block/Layout/Manager.php
@@ -1,8 +1,5 @@
 <?php
 
-use Horde\Core\Session\HordeSession;
-use Horde\Token\Exception\TokenException;
-use Horde\Token\Token;
 use Horde\Util\Util;
 
 /**
@@ -82,14 +79,23 @@ class Horde_Core_Block_Layout_Manager extends Horde_Core_Block_Layout implements
      */
     protected $_changedCol = null;
 
+    /**
+     * Session instance for CSRF validation.
+     *
+     * @var Horde_Session|null
+     */
+    protected $_session;
+
     /**
      * Constructor.
      *
      * @param Horde_Core_Block_Collection $collection  TODO
+     * @param Horde_Session|null $session  Session for CSRF token checks.
      */
-    public function __construct(Horde_Core_Block_Collection $collection)
+    public function __construct(Horde_Core_Block_Collection $collection, ?Horde_Session $session = null)
     {
         $this->_collection = $collection;
+        $this->_session = $session;
         $this->_editUrl = Horde::selfUrl();
         $this->_layout = $collection->getLayout();
 
@@ -218,19 +224,11 @@ public function handle($action, $row, $col, $url = null)
             case 'save':
                 // Save the changes made to a block and continue editing.
             case 'save-resume':
-                // Check form token.
-                $tokenService = $GLOBALS['injector']->getInstance(Token::class);
-                try {
-                    $valid = $tokenService->isValid(
-                        (string) Util::getFormData('token'),
-                        HordeSession::CSRF_SEED
-                    );
-                } catch (TokenException $e) {
-                    throw new Horde_Exception('Invalid token!');
-                }
-                if (!$valid) {
+                // Check form token (same path as Horde_Session::getToken()).
+                if ($this->_session === null) {
                     throw new Horde_Exception('Invalid token!');
                 }
+                $this->_session->checkToken((string) Util::getFormData('token'));
 
                 // Get requested block type.
                 [$newapp, $newtype] = explode(':', Util::getFormData('app'));