diff --git a/src/messenger/webim/operator/permissions.php b/src/messenger/webim/operator/permissions.php
index 00713e2c..79bd67f7 100644
--- a/src/messenger/webim/operator/permissions.php
+++ b/src/messenger/webim/operator/permissions.php
@@ -23,6 +23,7 @@ require_once('../libs/common.php');
 require_once('../libs/operator.php');
 require_once('../libs/operator_settings.php');
 
+csrfchecktoken();
 $operator = check_login();
 
 function update_operator_permissions($operatorid, $newvalue)
diff --git a/src/messenger/webim/view/avatar.php b/src/messenger/webim/view/avatar.php
index 3219f8ce..b949f2f6 100644
--- a/src/messenger/webim/view/avatar.php
+++ b/src/messenger/webim/view/avatar.php
@@ -36,7 +36,10 @@ require_once('inc_errors.php');
 ?>
 
 <form name="avatarForm" method="post" action="<?php echo $webimroot ?>/operator/avatar.php" enctype="multipart/form-data">
+
+<!-- add csrf token -->
 <?php print_csrf_token_input() ?>
+
 <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>
diff --git a/src/messenger/webim/view/permissions.php b/src/messenger/webim/view/permissions.php
index 7c47ecc7..7bf433e8 100644
--- a/src/messenger/webim/view/permissions.php
+++ b/src/messenger/webim/view/permissions.php
@@ -39,6 +39,10 @@ require_once('inc_errors.php');
 <?php } ?>
 
 <form name="permissionsForm" method="post" action="<?php echo $webimroot ?>/operator/permissions.php">
+
+<!-- add csrf token -->
+<?php print_csrf_token_input() ?>
+
 <input type="hidden" name="op" value="<?php echo $page['opid'] ?>"/>
 	<div>
 <?php print_tabbar(); ?>
@@ -67,4 +71,4 @@ require_once('inc_errors.php');
 } /* content */
 
 require_once('inc_main.php');
-?>
\ No newline at end of file
+?>