Because of the issues described on
LSNBLDR-607 (the permission and CSRF check) the deleteOrphanPages is actually inaccessible and causes errors when called from a webservice.
This splits up the check and the actual delete into 2 methods. The service call isn't protected, where the tool call from the UI is. This also provides a sample webservice (that is protected)