diff --git a/core/groups/groupedit.php b/core/groups/groupedit.php
index 60e946c5f9..fb91228355 100644
--- a/core/groups/groupedit.php
+++ b/core/groups/groupedit.php
@@ -53,6 +53,14 @@
 			$group_level = $_POST["group_level"];
 			$group_description = $_POST["group_description"];
 
+		//validate the token
+			$token = new token;
+			if (!$token->validate($_SERVER['PHP_SELF'])) {
+				message::add($text['message-invalid_token'],'negative');
+				header('Location: groups.php');
+				exit;
+			}
+
 		//check for global/domain duplicates
 			$sql = "select count(*) from v_groups ";
 			$sql .= "where group_name = :group_name ";
@@ -281,6 +289,10 @@
 		unset($sql, $parameters, $row);
 	}
 
+//create token
+	$object = new token;
+	$token = $object->create($_SERVER['PHP_SELF']);
+
 //include the header
 	include "resources/header.php";
 	$document['title'] = $text['title-group_edit'];
@@ -302,7 +314,6 @@
 
 //show the content
 	echo "<form name='login' method='post' action=''>\n";
-	echo "<input type='hidden' name='group_uuid' value='".escape($group_uuid)."'>\n";
 
 	echo "<table width='100%' cellpadding='0' cellspacing='0'>\n";
 	echo "	<tr>\n";
@@ -389,6 +400,10 @@
 
 	echo "<tr>\n";
 	echo "<td colspan='2' align='right'>\n";
+	if (is_uuid($group_uuid)) {
+		echo "	<input type='hidden' name='group_uuid' value='".escape($group_uuid)."'>\n";
+	}
+	echo "	<input type='hidden' name='".$token['name']."' value='".$token['hash']."'>\n";
 	echo "	<br />";
 	echo "	<input type='submit' class='btn' value=\"".$text['button-save']."\">\n";
 	echo "</td>\n";
@@ -401,4 +416,4 @@
 //include the footer
 	include "resources/footer.php";
 
-?>
+?>
\ No newline at end of file