Fixed  styleid URLs require token?

Whats the correct way for users logged in? I know the style chooser is there for a reason but I'm working on something else that may need manual links to other styles logged in/out.
This is entirely intentional - anything that changes the user state shouldn't be available via GET, unless it's protected by a user-specific token. It's effectively a CSRF issue.

I'm not sure what the best option is.
Either way, it significantly changes what the user may see - and as a GET request, it could be embedded as an image, which would be really confusing.
Top Bottom