XOOPS has a simple system preventing from CSRF in DB layer.
POST && Good Referer --> allow all SQL
!POST || Bad Referer --> allow only SQL starting with "SELECT"
This is troublesome.
If someone post a news with referer off, he will get message "Your post has been received, successfully" but there is no such a post in fact.
It's both obscure and insecure.
I insist such protection in DB layer should be removed, and each controller has been implemented with token(ticket).
don't forget CSRF starts with the assumption that Javascript code can be inserted