1 files changed, 4 insertions, 0 deletions

diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
index c3e66634..3b0eac66 100644
--- a/modules/user/controllers/password.php
+++ b/modules/user/controllers/password.php
@@ -19,6 +19,8 @@
  */
 class Password_Controller extends Controller {
   public function reset() {
+    access::verify_csrf();
+
     if (request::method() == "post") {
       $this->_send_reset();
     } else {
@@ -27,6 +29,8 @@ class Password_Controller extends Controller {
   }
 
   public function do_reset() {
+    access::verify_csrf();
+
     if (request::method() == "post") {
       $this->_change_password();
     } else {