diff --git a/admin/code/LeftAndMain.php b/admin/code/LeftAndMain.php
index 226fa5853..9d59997ff 100644
--- a/admin/code/LeftAndMain.php
+++ b/admin/code/LeftAndMain.php
@@ -1046,6 +1046,9 @@ class LeftAndMain extends Controller implements PermissionProvider {
 	 * @return SS_HTTPResponse JSON string with a 
 	 */
 	public function savetreenode($request) {
+		if (!SecurityToken::inst()->checkRequest($request)) {
+			return $this->httpError(400);
+		}
 		if (!Permission::check('SITETREE_REORGANISE') && !Permission::check('ADMIN')) {
 			$this->response->setStatusCode(
 				403,
diff --git a/admin/javascript/LeftAndMain.Tree.js b/admin/javascript/LeftAndMain.Tree.js
index 4faa4654a..37d3d1dbb 100644
--- a/admin/javascript/LeftAndMain.Tree.js
+++ b/admin/javascript/LeftAndMain.Tree.js
@@ -97,7 +97,10 @@
 							});
 
 							$.ajax({
-								'url': self.data('urlSavetreenode'),
+								'url': $.path.addSearchParams(
+									self.data('urlSavetreenode'),
+									self.data('extraParams')
+								),
 								'type': 'POST',
 								'data': {
 									ID: nodeID,