[BUGFIX] Enforce CSRF token for sub requests
With this change dispatching of requests is intercepted recursively
so that a valid CSRF token is enforced for sub requests, too.
Previously the token was only enforced on the main ActionRequest.
Previously the CSRF token was enforced via an AOP aspect. But one aspect
can only be executed once at a time. So calls of
``Dispatcher::dispatch()`` that are invoked during the execution of the
same method (which is the case for plugin or widget sub requests)
weren't intercepted by the aspect.
This change removes the aspect in favor of a hard coded check in the