Security: enforce CSRF token on gradebook evaluation add/edit forms

The gradebook evaluation add and edit forms (EvalForm/FormValidator) were
state-changing POST endpoints with no anti-CSRF token. FormValidator does
not inject a CSRF token on its own, so the forms accepted forged
cross-site submissions.

Add the standard Chamilo legacy idiom: validate Security::check_token('post')
before persisting (api_not_allowed on failure, clear_token on success) and
emit a fresh sec_token hidden field on the display path, mirroring the
pattern already used in exercise/tests_category.php and group/settings.php.

Refs GHSA-vjmr-7vxh-wpg2

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: AngelFQC

public/main/gradebook/gradebook_add_eval.php

@@ -31,6 +31,10 @@
 );
 
 if ($form->validate()) {
+    if (!Security::check_token('post')) {
+        api_not_allowed(true);
+    }
+    Security::clear_token();
     $values = $form->exportValues();
     $entityManager = Database::getManager();
     $course = $entityManager->getRepository(Course::class)->find(api_get_course_int_id());
@@ -166,5 +170,9 @@
 
 echo '</div>';
 
+$token = Security::get_token();
+$form->addElement('hidden', 'sec_token');
+$form->setConstants(['sec_token' => $token]);
+
 $form->display();
 Display::display_footer();

public/main/gradebook/gradebook_edit_eval.php

@@ -36,6 +36,10 @@
     api_get_self().'?editeval='.intval($_GET['editeval']).'&'.api_get_cidreq()
 );
 if ($form->validate()) {
+    if (!Security::check_token('post')) {
+        api_not_allowed(true);
+    }
+    Security::clear_token();
     $values = $form->exportValues();
 
     $entityManager = Database::getManager();
@@ -106,5 +110,10 @@
 </script>';
 
 Display::display_header(get_lang('Edit evaluation'));
+
+$token = Security::get_token();
+$form->addElement('hidden', 'sec_token');
+$form->setConstants(['sec_token' => $token]);
+
 $form->display();
 Display::display_footer();