diff --git a/commerce_reorder.module b/commerce_reorder.module
index 628fc61f7d9e81221d6c0a19cfee91cd916cbfdc..5e6f72a01355406cb5a87dec894acaac0ba4707d 100644
--- a/commerce_reorder.module
+++ b/commerce_reorder.module
@@ -16,7 +16,6 @@ function commerce_reorder_menu() {
     'title' => 'Reorder',
     'page callback' => 'commerce_reorder_reorder_tab',
     'page arguments' => array(3),
-    // 'access arguments' => array('view', 3),
     'access arguments' => array('commerce_reorder_access'),
     'type' => MENU_LOCAL_TASK,
     'weight' => 15,
@@ -48,19 +47,28 @@ function commerce_reorder_views_api() {
   );
 }
 
+/**
+ * Dynamically add a CSRF-protection token to the reorder-links usin a 
+ * preprocess function.
+ * 
+ * @see http://drupal.org/node/755584 for a reference to CSRF tokens for menus.
+ */
+function commerce_reorder_preprocess_link(&$variables) {
+  $path = explode('/', $variables['path']);
+  if (strpos($variables['path'], 'admin/commerce/orders/') === 0 && array_pop($path) == 'reorder') {
+    $variables['options']['query']['token'] = drupal_get_token('commerce_reorder:' . $path[3]);
+  }
+}
+
 /**
  * Perform the reorder action for the operations menu
  * */
 function commerce_reorder_reorder_tab($order) {
-  global $user;
-
-  // Check permission - user can only reorder an order they have permission to view.
-  if (!commerce_order_access('view', $order, $user)) {
-    drupal_access_denied();
-    return;
+  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'commerce_reorder:' . $order->order_id) || !commerce_order_access('view', $order)) {
+    return MENU_ACCESS_DENIED;
   }
-
-  commerce_reorder_helper($order, $user);
+  
+  commerce_reorder_helper($order);
 
   drupal_set_message(t('Order copied to your cart.'));
   // Redirect to the checkout with the new cart.