How to reproduce:
- Enable CSRF protection
- Create a test user
- Go to XWikiAllGroup logged in as admin and in inline edit mode
- Delete the just added test user from XWikiAllGroup
Reason: The delete URL that's used by AJAX lacks the 'form_token' parameter.