Deleting a user from a group does not work with CSRF protection

How to reproduce:

• Enable CSRF protection
• Create a test user
• Go to XWikiAllGroup logged in as admin and in inline edit mode
• Delete the just added test user from XWikiAllGroup

The javascript removes the user from the livetable, but on a refresh, it's back.

Reason: The delete URL that's used by AJAX lacks the 'form_token' parameter.