diff --git a/publish_button.module b/publish_button.module
index 9f991c1..dd1b44e 100644
--- a/publish_button.module
+++ b/publish_button.module
@@ -293,6 +293,10 @@ function _publish_button_menu_access($nid, $status) {
  * Callback to publish/unpublish node, preferable used via Views.
  */
 function publish_button_status($nid) {
+  if (!isset($_GET['csrf_token']) || !drupal_valid_token($_GET['csrf_token'], 'publish_button_' . $nid)) {
+    drupal_access_denied();
+    return;
+  }
   // Load the node in a object so we could use it.
   $node = node_load($nid);
   // If the node is published.
diff --git a/publish_button_views_handler_node_link.inc b/publish_button_views_handler_node_link.inc
index f255430..50e8e55 100644
--- a/publish_button_views_handler_node_link.inc
+++ b/publish_button_views_handler_node_link.inc
@@ -57,9 +57,11 @@ class publish_button_views_handler_node_link extends views_handler_field_node_li
         $status = 'publish';
       }
       if (isset($this->options['alter'])) {
+        $csrf_token = drupal_get_token('publish_button_' . $data);
         $this->options['alter']['make_link'] = TRUE;
         $this->options['alter']['path'] = 'publish_button/' . $data . '/' . $status;
         $this->options['alter']['query'] = drupal_get_destination();
+        $this->options['alter']['query']['csrf_token'] = $csrf_token;
         $text = empty($this->options[$status]) ? t($status) : $this->options[$status];
         $publish_button = array(
           '#type' => 'button',