Put csrf token into Admin_View and Theme_View by default, then use it

directly wherever possible instead of access::csrf_token().

modules/comment/views/admin_comments.html.php

@@ -1,7 +1,7 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
 <script type="text/javascript">
   var set_state_url =
-    "<?= url::site("admin/comments/set_state/__ID__/__STATE__?csrf=" . access::csrf_token()) ?>";
+    "<?= url::site("admin/comments/set_state/__ID__/__STATE__?csrf=$csrf") ?>";
   function set_state(state, id) {
     $.get(set_state_url.replace("__STATE__", state).replace("__ID__", id),
           {},
@@ -12,7 +12,7 @@
   }
 
   var delete_url =
-    "<?= url::site("admin/comments/delete/__ID__?csrf=" . access::csrf_token()) ?>";
+    "<?= url::site("admin/comments/delete/__ID__?csrf=$csrf") ?>";
 
   function del(id) {
     $.get(delete_url.replace("__ID__", id),
@@ -63,7 +63,7 @@
              $spam->count()) ?>
     </p>
     <p>
-      <a href="<?= url::site("admin/comments/delete_all_spam?csrf=" . access::csrf_token()) ?>">
+      <a href="<?= url::site("admin/comments/delete_all_spam?csrf=$csrf") ?>">
         <?= t("Delete all spam") ?>
       </a>
       <? else: ?>