Fix hardcoded csrf field name for actions

[michalkaczmarek-bitbag]

Q	A
Bug fix?	yes
New feature?	no
BC breaks?	no
Deprecations?	no
Related tickets	Sylius/Sylius#19001, Sylius/Sylius#19008, Sylius/Sylius#19011
License	MIT

Summary

Fixes hardcoded _csrf_token field name in ResourceController actions.
The field name is now configurable, allowing applications to customize the
CSRF token parameter expected in request bodies.

Problem

ResourceController::deleteAction(), bulkDeleteAction(), and
applyStateMachineTransitionAction() had _csrf_token hardcoded as the
request field name. Applications that need to use a different field name
(e.g. to avoid collisions or follow internal conventions) had no way to
override it.

Solution

Added a new configuration option with _csrf_token as default — fully
backward compatible.

sylius_resource:
    settings:
        csrf_parameter: _my_csrf_field   # default: _csrf_token

The configured value is:
- injected into ResourceController constructor as the 18th argument
(default _csrf_token),
- exposed in Twig via the sylius_csrf_parameter() function so templates
can render the right field name.

<input type="hidden" name="{{ sylius_csrf_parameter() }}" value="{{
csrf_token(resource.id) }}">

[michalkaczmarek-bitbag]

@loic425 Hi, please check PR. These changes are strongly related with changes Sylius/Sylius. Merge this branch is needed for continue work on bugfix in Sylius. Details in attached PR's

[loic425]

Could you a few tests on SyliusResourceExtensionTest?

[michalkaczmarek-bitbag]

Could you a few tests on SyliusResourceExtensionTest?

I added tests. You can check @loic425

[michalkaczmarek-bitbag]

@loic425 I add one more change in ResourceController. I change visibility variable from private to protected to child classes they can inherit this variable (csrf_parameter)

[michalkaczmarek-bitbag]

@loic425 I changed base branch from 1.15 to 1.14 after consult with @Wojdylak . Please look does it's ok.