CSRF Token + small fixes

core/Api/Notifications/Create.class.php

@@ -17,6 +17,7 @@ class Create extends Request {
       'message' =>  new StringType('message', 256),
     ));
     $this->isPublic = false;
+    $this->csrfTokenRequired = true;
   }
 
   private function checkUser($userId) {

core/Api/Notifications/Fetch.class.php

@@ -12,6 +12,7 @@ class Fetch extends Request {
   public function __construct($user, $externalCall = false) {
     parent::__construct($user, $externalCall, array());
     $this->loginRequired = true;
+    $this->csrfTokenRequired = true;
   }
 
   private function fetchUserNotifications() {