diff --git a/seahub/api2/endpoints/admin/groups.py b/seahub/api2/endpoints/admin/groups.py
index 84fead015e..59c847f671 100644
--- a/seahub/api2/endpoints/admin/groups.py
+++ b/seahub/api2/endpoints/admin/groups.py
@@ -234,6 +234,10 @@ class AdminGroup(APIView):
                 error_msg = 'quota invalid.'
                 return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
 
+            if not (group_quota > 0 or group_quota == -2):
+                error_msg = 'quota invalid.'
+                return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
+
             try:
                 seafile_api.set_group_quota(group_id, group_quota)
             except Exception as e:
diff --git a/static/scripts/sysadmin-app/views/address-book-group-item.js b/static/scripts/sysadmin-app/views/address-book-group-item.js
index 12710fa26a..68eae8e8a8 100644
--- a/static/scripts/sysadmin-app/views/address-book-group-item.js
+++ b/static/scripts/sysadmin-app/views/address-book-group-item.js
@@ -68,12 +68,18 @@ define([
                 var $error = $('.error', $form);
                 var $submitBtn = $('[type="submit"]', $form);
                 var quota = $.trim($('[name="quota"]', $form).val());
+                var quota_int = parseInt(quota);
 
                 if (!quota) {
                     $error.html(gettext("It is required.")).show();
                     return false;
                 }
 
+                if (!(quota_int == quota &&
+                    (quota_int > 0 || quota_int == -2))) {
+                    return false;
+                }
+
                 Common.disableButton($submitBtn);
                 $.ajax({
                     url: Common.getUrl({