diff --git a/classes/output/answermenu.php b/classes/output/answermenu.php
index aacebfe0508f6b772653f9bc5cbce8bf8d9cc64e..72b3c04138f14e472f33d879d9dd13719dae7281 100644
--- a/classes/output/answermenu.php
+++ b/classes/output/answermenu.php
@@ -58,6 +58,7 @@ class answermenu implements \renderable, \templatable {
         $urlparams['annotationid'] = $annotationid;
         $urlparams['itemsperpage'] = $itemsperpage;
         $urlparams['answerfilter'] = $answerfilter;
+        $urlparams['sesskey'] = sesskey();
         $url = new moodle_url($CFG->wwwroot . '/mod/pdfannotator/view.php', $urlparams);
 
         $this->url = $url;
diff --git a/classes/output/comment.php b/classes/output/comment.php
index a6f6b3393095a16a5b425cf7e6d7410c993e30f6..1ffe19b07d7a577606926fc676f836fd9ebea12c 100644
--- a/classes/output/comment.php
+++ b/classes/output/comment.php
@@ -261,7 +261,7 @@ class comment implements \renderable, \templatable {
     private function addforwardbutton($comment, $forwardquestions, $cm) {
         if (!isset($comment->type) && $comment->isquestion && !$comment->isdeleted && $forwardquestions) {
             global $CFG;
-            $urlparams = ['id' => $cm->id, 'action' => 'forwardquestion', 'commentid' => $comment->uuid];
+            $urlparams = ['id' => $cm->id, 'action' => 'forwardquestion', 'commentid' => $comment->uuid, 'sesskey' => sesskey()];
             $url = new moodle_url($CFG->wwwroot . '/mod/pdfannotator/view.php', $urlparams);
 
             $comment->buttons[] = ["classes" => "comment-forward-a", "attributes" => ["name" => "onclick", "value" => "window.location.href = '$url';"],
diff --git a/classes/output/questionmenu.php b/classes/output/questionmenu.php
index c68c0b156fb165d92525e8357cd65436e9438429..417143615bded605551f85160d9231cf3c96a156 100644
--- a/classes/output/questionmenu.php
+++ b/classes/output/questionmenu.php
@@ -44,6 +44,7 @@ class questionmenu implements \renderable, \templatable {
         $urlparams['action'] = 'forwardquestion';
         $urlparams['fromoverview'] = '1';
         $urlparams['commentid'] = $commentid;
+        $urlparams['sesskey'] = sesskey();
         $url = new moodle_url($CFG->wwwroot . '/mod/pdfannotator/view.php', $urlparams);
 
         $this->url = $url;
diff --git a/controller.php b/controller.php
index 00a5606de29635222af3aaf14d96d5c04952ffd5..900a3f9c6e780f54f953758ba926aa36426a8705 100644
--- a/controller.php
+++ b/controller.php
@@ -28,6 +28,8 @@ $taburl = new moodle_url('/mod/pdfannotator/view.php', array('id' => $id));
 
 $myrenderer = $PAGE->get_renderer('mod_pdfannotator');
 
+require_course_login($pdfannotator->course, true, $cm);
+
 /* * ********************************************** Display overview page *********************************************** */
 
 if ($action === 'overview') {
@@ -36,6 +38,7 @@ if ($action === 'overview') {
 }
 
 if ($action === 'forwardquestion') {
+    require_sesskey();
     require_capability('mod/pdfannotator:forwardquestions', $context);
     require_once($CFG->dirroot . '/mod/pdfannotator/forward_form.php');
     global $USER;
@@ -182,7 +185,7 @@ if ($action === 'overviewquestions') {
  * all answers.
  */
 if ($action === 'subscribeQuestion') {
-
+    require_sesskey();
     require_capability('mod/pdfannotator:subscribe', $context);
 
     global $DB;
@@ -205,7 +208,7 @@ if ($action === 'subscribeQuestion') {
  * answers to questions to which the user is subscribed.
  */
 if ($action === 'unsubscribeQuestion') {
-
+    require_sesskey();
     require_capability('mod/pdfannotator:subscribe', $context);
 
     global $DB;
@@ -306,6 +309,7 @@ if ($action === 'overviewownposts') {
  * (either unread reports (reportfiler == 0) or all reports (reportfilter == 2)).
  */
 if ($action === 'markreportasread') { // XXX Rename key and move it into $action === 'overviewreports'
+    require_sesskey();
     require_capability('mod/pdfannotator:viewreports', $context);
 
     global $DB;
@@ -341,6 +345,7 @@ if ($action === 'markreportasread') { // XXX Rename key and move it into $action
  * (either unread reports (reportfiler == 0) or all reports (reportfilter == 2)).
  */
 if ($action === 'markreportasunread') { // XXX Rename key and move it into $action === 'overviewreports'
+    require_sesskey();
     require_capability('mod/pdfannotator:viewreports', $context);
 
     global $DB;
@@ -484,6 +489,7 @@ if ($action === 'report') {
         echo $myrenderer->pdfannotator_render_tabs($taburl, $action, $pdfannotator->name, $context);
         pdfannotator_display_embed($pdfannotator, $cm, $course, $file);
     } else if ($report = $mform->get_data()) { // Process validated data. $mform->get_data() returns data posted in form.
+        require_sesskey();
         global $USER;
 
         // 1. Notify course manager(s).