The only thing you really need to hack any Rukovoditel is to know the URL. For 1+2 it is enough to just open a link with malicious code in the browser. No need for downloading. 3 is probable as there is functionality remember me on login screen. For 4 it is enough to target admin.I don't agree with that. Too many IF.
1) If you download hack file
2) If you run it.
3) if you logged
4) if you have access
then it can run some actions.
If a hacker wanted to hack your personal Rukovoditel instance and knew its URL it would be enough for him to create a new thread on the forum and say "Hey Sergei, there is a bug in my Rukovoditel, I have posted a screenshot here: http://example.com/hackerswebsite/csrf_hack" You will click and if logged the attack is successful.
Or a different scenario. There are some links to systems based on Rukovoditel posted in this forum. Hacker can prepare maliciously code for any of them and them send the user PM with "I think there is a security vulnerability in your application. I have prepared a demonstration of it. Login first or the demonstration will not work and then check here: http://example.com/hackerswebsite/hacke ... /csrf_hack" Users click and hacker is in.
Opening of item page is okay, IMHO there is no way how to abuse any viewing actions by this CSRF so no need to tokenized URLs. But all the edit/delete action should be protected.But I don't want to add token to all urls because it will be not possible to open item page form email notification etc.