diff --git a/media/js/base.js b/media/js/base.js
index c752fd871c..142e0cb4e2 100644
--- a/media/js/base.js
+++ b/media/js/base.js
@@ -249,6 +249,29 @@ function addConfirmTo(op_ele, popup) {
     });
 }
 
+// Similar to ``addConfirmto``, instead using form post when user confirms.
+function addConfirmTo_POST(op_ele, popup) {
+    op_ele.click(function() {
+        var con = '';
+        if ($(this).data('target') && popup['con'].indexOf('%s') != -1) {
+            con = popup['con'].replace('%s', '<span class="op-target">' + HTMLescape($(this).data('target')) + '</span>');
+        } else {
+            con = popup['con'];
+        }
+        $('#confirm-con').html('<h3>' + popup['title'] + '</h3><p>' + con + '</p>');
+        $('#confirm-popup').modal({appendTo:'#main'});
+        $('#simplemodal-container').css({'height':'auto'});
+        $('#confirm-yes').data('url', $(this).data('url')).click(function() {
+            $('<form>', {
+                "method": 'POST',
+                "action": $(this).data('url'),
+                "html": '<input name="csrfmiddlewaretoken" value="' + getCookie('csrftoken') + '" type="hidden">'
+            }).appendTo(document.body).submit();
+        });
+        return false;//in case op_ele is '<a>'
+    });
+}
+
 /*
  * func: add autocomplete to some input ele
  * @param ele_id: autocomplete is added to this ele(ment), e.g-'#xxx'
@@ -477,22 +500,23 @@ function e(str) {
     return encodeURIComponent(str);
 }
 
-function prepareCSRFToken(xhr, settings) {
-    function getCookie(name) {
-        var cookieValue = null;
-        if (document.cookie && document.cookie != '') {
-            var cookies = document.cookie.split(';');
-            for (var i = 0; i < cookies.length; i++) {
-                var cookie = jQuery.trim(cookies[i]);
-                // Does this cookie string begin with the name we want?
-                if (cookie.substring(0, name.length + 1) == (name + '=')) {
-                    cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
-                    break;
-                }
+function getCookie(name) {
+    var cookieValue = null;
+    if (document.cookie && document.cookie != '') {
+        var cookies = document.cookie.split(';');
+        for (var i = 0; i < cookies.length; i++) {
+            var cookie = jQuery.trim(cookies[i]);
+            // Does this cookie string begin with the name we want?
+            if (cookie.substring(0, name.length + 1) == (name + '=')) {
+                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+                break;
             }
         }
-        return cookieValue;
     }
+    return cookieValue;
+}
+
+function prepareCSRFToken(xhr, settings) {
     if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
         // Only send the token to relative URLs i.e. locally.
         xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
diff --git a/seahub/templates/sysadmin/useradmin_js.html b/seahub/templates/sysadmin/useradmin_js.html
index 5569427e67..7151c35e04 100644
--- a/seahub/templates/sysadmin/useradmin_js.html
+++ b/seahub/templates/sysadmin/useradmin_js.html
@@ -1,13 +1,13 @@
 {% load i18n%}
-addConfirmTo($('.remove-user-btn'), {
+addConfirmTo_POST($('.remove-user-btn'), {
         'title':"{% trans "Delete User" %}",
         'con':"{% trans "Are you sure you want to delete %s ?" %}"
 });
-addConfirmTo($('.reset-user-btn'), {
+addConfirmTo_POST($('.reset-user-btn'), {
         'title':"{% trans "Password Reset" %}",
         'con':"{% trans "Are you sure you want to reset the password of %s ?" %}"
 });
-addConfirmTo($('.revoke-admin-btn'), {
+addConfirmTo_POST($('.revoke-admin-btn'), {
         'title':"{% trans "Revoke Admin" %}",
         'con':"{% trans "Are you sure you want to revoke the admin permission of %s ?" %}"
 });
diff --git a/seahub/views/sysadmin.py b/seahub/views/sysadmin.py
index cddd7d2097..693708d895 100644
--- a/seahub/views/sysadmin.py
+++ b/seahub/views/sysadmin.py
@@ -28,7 +28,6 @@ from seahub.auth.decorators import login_required, login_required_ajax
 from seahub.constants import GUEST_USER, DEFAULT_USER
 from seahub.utils import IS_EMAIL_CONFIGURED, string2list, is_valid_username, \
     is_pro_version
-from seahub.utils.rpc import mute_seafile_api
 from seahub.utils.licenseparse import parse_license
 from seahub.views import get_system_default_repo_id
 from seahub.forms import SetUserQuotaForm, AddUserForm, BatchAddUserForm
@@ -730,6 +729,9 @@ def sys_org_set_quota(request, org_id):
 @sys_staff_required
 def user_remove(request, email):
     """Remove user"""
+    if request.method != 'POST':
+        raise Http404
+
     referer = request.META.get('HTTP_REFERER', None)
     next = reverse('sys_useradmin') if referer is None else referer
 
@@ -793,6 +795,9 @@ def remove_trial(request, user_or_org):
 @sys_staff_required
 def user_remove_admin(request, email):
     """Unset user admin."""
+    if request.method != 'POST':
+        raise Http404
+
     try:
         user = User.objects.get(email=email)
         user.is_staff = False
@@ -931,6 +936,9 @@ def send_user_reset_email(request, email, password):
 @sys_staff_required
 def user_reset(request, email):
     """Reset password for user."""
+    if request.method != 'POST':
+        raise Http404
+
     try:
         user = User.objects.get(email=email)
         if isinstance(INIT_PASSWD, FunctionType):