diff --git a/core/avatar/controller.php b/core/avatar/controller.php
index 43ee811f19107dba7dbef83d59d3fa52aced5531..03482ee1070d5554eab563a1a009c332e04138ba 100644
--- a/core/avatar/controller.php
+++ b/core/avatar/controller.php
@@ -10,12 +10,8 @@ namespace OC\Core\Avatar;
 
 class Controller {
 	public static function getAvatar($args) {
-		if (!\OC_User::isLoggedIn()) {
-			$l = new \OC_L10n('core');
-			header("HTTP/1.0 403 Forbidden");
-			\OC_Template::printErrorPage($l->t("Permission denied"));
-			return;
-		}
+		\OC_JSON::checkLoggedIn();
+		\OC_JSON::callCheck();
 
 		$user = stripslashes($args['user']);
 		$size = (int)$args['size'];
@@ -41,6 +37,9 @@ class Controller {
 	}
 
 	public static function postAvatar($args) {
+		\OC_JSON::checkLoggedIn();
+		\OC_JSON::callCheck();
+
 		$user = \OC_User::getUser();
 
 		if (isset($_POST['path'])) {
@@ -93,6 +92,9 @@ class Controller {
 	}
 
 	public static function deleteAvatar($args) {
+		\OC_JSON::checkLoggedIn();
+		\OC_JSON::callCheck();
+
 		$user = \OC_User::getUser();
 
 		try {
@@ -105,6 +107,9 @@ class Controller {
 	}
 
 	public static function getTmpAvatar($args) {
+		\OC_JSON::checkLoggedIn();
+		\OC_JSON::callCheck();
+
 		$tmpavatar = \OC_Cache::get('tmpavatar');
 		if (is_null($tmpavatar)) {
 			$l = new \OC_L10n('core');
@@ -120,6 +125,9 @@ class Controller {
 	}
 
 	public static function postCroppedAvatar($args) {
+		\OC_JSON::checkLoggedIn();
+		\OC_JSON::callCheck();
+
 		$user = \OC_User::getUser();
 		if (isset($_POST['crop'])) {
 			$crop = $_POST['crop'];
diff --git a/core/js/jquery.avatar.js b/core/js/jquery.avatar.js
index 1d2c07211e7a316b286a3d37bba06f446e00d61f..37a824c3347f560bbc33e22da2d06cdfafa8a69b 100644
--- a/core/js/jquery.avatar.js
+++ b/core/js/jquery.avatar.js
@@ -66,7 +66,7 @@
 		var $div = this;
 
 		OC.Router.registerLoadedCallback(function() {
-			var url = OC.Router.generate('core_avatar_get', {user: user, size: size});
+			var url = OC.Router.generate('core_avatar_get', {user: user, size: size})+'?requesttoken='+oc_requesttoken;
 			$.get(url, function(result) {
 				if (typeof(result) === 'object') {
 					$div.placeholder(result.user);
diff --git a/settings/js/personal.js b/settings/js/personal.js
index 61ce6274c4e7f8d56baad6e2b9574fbd57793b23..e19d4c835001ede8991a6f0b504615559b5363d5 100644
--- a/settings/js/personal.js
+++ b/settings/js/personal.js
@@ -58,7 +58,7 @@ function showAvatarCropper() {
 	$cropper = $('#cropper');
 	$cropperImage = $('#cropper img');
 
-	$cropperImage.attr('src', OC.Router.generate('core_avatar_get_tmp')+'#'+Math.floor(Math.random()*1000));
+	$cropperImage.attr('src', OC.Router.generate('core_avatar_get_tmp')+'?requesttoken='+oc_requesttoken+'#'+Math.floor(Math.random()*1000));
 
 	// Looks weird, but on('load', ...) doesn't work in IE8
 	$cropperImage.ready(function(){