Better http message on not allowed access

htdocs/core/ajax/security.php

@@ -47,7 +47,7 @@ require '../../main.inc.php';
 $action = GETPOST('action');
 
 // Security check
-// None. This is public component with no effect on data.
+// None. This is public component with no access and effect on data.
 
 
 /*
@@ -66,4 +66,8 @@ if ($action) {
 		$generic = GETPOST('generic') ? true : false;
 		echo getRandomPassword($generic);
 	}
+} else {
+	if (GETPOST('errorcode') == 'InvalidToken') {
+		http_response_code(401);
+	}
 }

htdocs/main.inc.php

@@ -603,8 +603,6 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
 			$savid = ((int) $_POST['id']);
 		}
 		unset($_POST);
-		//unset($_POST['action']); unset($_POST['massaction']);
-		//unset($_POST['confirm']); unset($_POST['confirmmassaction']);
 		unset($_GET['confirm']);
 		unset($_GET['action']);
 		unset($_GET['confirmmassaction']);
@@ -613,6 +611,8 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
 		if (isset($savid)) {
 			$_POST['id'] = ((int) $savid);
 		}
+		// So rest of code can know something was wrong here
+		$_GET['errorcode'] = 'InvalidToken';
 	}
 
 	// Note: There is another CSRF protection into the filefunc.inc.php