Require token for ajax (thanks to @cdnmall).

web/js/events.js

@@ -387,7 +387,7 @@ VE.navigation.switch_menu = function(position){
 VE.notifications.get_list = function(){
 /// TODO get notifications only once
     $.ajax({
-        url: "/list/notifications/?ajax=1",
+        url: "/list/notifications/?ajax=1&token="+$('#token').attr('token'),
         dataType: "json"
     }).done(function(data) {
         var acc = [];

web/list/notifications/index.php

@@ -5,7 +5,7 @@ error_reporting(NULL);
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 
-if($_REQUEST['ajax'] == 1){
+if($_REQUEST['ajax'] == 1 && $_REQUEST['token'] == $_SESSION['token']){
     // Data
     exec (HESTIA_CMD."v-list-user-notifications $user json", $output, $return_var);
     $data = json_decode(implode('', $output), true);