- if($this->mRequest->getCheck('saveusergroups')) {
- $this->saveUserGroups($this->mRequest->getVal('user-editname'),
- $this->mRequest->getArray('member'),
- $this->mRequest->getArray('available'));
+ if( $this->mRequest->getCheck( 'saveusergroups' ) ) {
+ global $wgUser;
+ $username = $this->mRequest->getVal( 'user-editname' );
+ if( $wgUser->matchEditToken( $this->mRequest->getVal( 'wpEditToken' ), $username ) ) {
+ $this->saveUserGroups( $username,
+ $this->mRequest->getArray( 'member' ),
+ $this->mRequest->getArray( 'available' ) );
+ }