Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java
===================================================================
diff -u -r29a37489a63e5a95f42a5ef5fd8a7daeb65c53c5 -r002370657c7bc0bf87eef9c223e1778f74483413
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java	(.../UserController.java)	(revision 29a37489a63e5a95f42a5ef5fd8a7daeb65c53c5)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java	(.../UserController.java)	(revision 002370657c7bc0bf87eef9c223e1778f74483413)
@@ -64,12 +64,13 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 
 /**
  * @author Jun-Dir Liew
  */
 @Controller
-@RequestMapping("/user")
+@RequestMapping(path = "/user", method = RequestMethod.POST)
 public class UserController {
     private static Logger log = Logger.getLogger(UserController.class);
 
@@ -88,7 +89,7 @@
     private static List<SupportedLocale> locales;
     private static List<AuthenticationMethod> authenticationMethods;
 
-    @RequestMapping(path = "/edit")
+    @RequestMapping(path = "/edit", method = RequestMethod.POST)
     public String edit(@ModelAttribute UserForm userForm, HttpServletRequest request) throws Exception {
 	if (locales == null) {
 	    locales = userManagementService.findAll(SupportedLocale.class);
@@ -281,7 +282,7 @@
     }
 
     // determine whether to disable or delete user based on their lams data
-    @RequestMapping(path = "/remove")
+    @RequestMapping(path = "/remove", method = RequestMethod.POST)
     public String remove(HttpServletRequest request) throws Exception {
 	if (!(request.isUserInRole(Role.SYSADMIN) || userManagementService.isUserGlobalGroupManager())) {
 	    request.setAttribute("errorName", "UserAction");
@@ -301,7 +302,7 @@
 	return "remove";
     }
 
-    @RequestMapping(path = "/disable")
+    @RequestMapping(path = "/disable", method = RequestMethod.POST)
     public String disable(HttpServletRequest request) throws Exception {
 	if (!(request.isUserInRole(Role.SYSADMIN) || userManagementService.isUserGlobalGroupManager())) {
 	    request.setAttribute("errorName", "UserController");
@@ -326,7 +327,7 @@
 	}
     }
 
-    @RequestMapping(path = "/delete")
+    @RequestMapping(path = "/delete", method = RequestMethod.POST)
     public String delete(HttpServletRequest request) throws Exception {
 	if (!(request.isUserInRole(Role.SYSADMIN) || userManagementService.isUserGlobalGroupManager())) {
 	    request.setAttribute("errorName", "UserAction");
@@ -358,7 +359,7 @@
     }
 
     // called from disabled users screen
-    @RequestMapping(path = "/enable")
+    @RequestMapping(path = "/enable", method = RequestMethod.POST)
     public String enable(HttpServletRequest request) throws Exception {
 	if (!(request.isUserInRole(Role.SYSADMIN) || userManagementService.isUserGlobalGroupManager())) {
 	    request.setAttribute("errorName", "UserController");
@@ -376,4 +377,4 @@
 	return "forward:/disabledmanage.do";
     }
 
-}
\ No newline at end of file
+}
Index: lams_admin/web/disabledusers.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r002370657c7bc0bf87eef9c223e1778f74483413
--- lams_admin/web/disabledusers.jsp	(.../disabledusers.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/disabledusers.jsp	(.../disabledusers.jsp)	(revision 002370657c7bc0bf87eef9c223e1778f74483413)
@@ -46,7 +46,7 @@
 					<c:out value="${user.lastName}" />
 				</td>
 				<td>
-					<a href="<lams:LAMSURL/>admin/user/enable.do?userId=<c:out value="${user.userId}"/>" class="btn btn-default btn-sm"><fmt:message key="admin.enable"/></a>
+					<csrf:form style="display: inline-block;" id="enable_${ltiConsumer.sid}" method="post" action="/lams/admin/user/enable.do"><input type="hidden" name="userId" value="${user.userId}"/><button type="submit" class="btn btn-primary btn-xs"><fmt:message key="admin.enable" /></button></csrf:form>
 				</td>		
 			</tr>
 		</c:forEach>
Index: lams_admin/web/remove.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r002370657c7bc0bf87eef9c223e1778f74483413
--- lams_admin/web/remove.jsp	(.../remove.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/remove.jsp	(.../remove.jsp)	(revision 002370657c7bc0bf87eef9c223e1778f74483413)
@@ -15,7 +15,6 @@
     
 <body class="stripes">
 	<lams:Page type="admin" title="${title}">
-		<form>
 				<c:if test="${empty orgId}">
 					<c:url var="cancel" value="/usersearch.do" />
 				</c:if>
@@ -44,9 +43,9 @@
 								<c:param name="orgId" value="${orgId}" />
 							</c:url>
 							<div class="pull-right">
-								<button class="btn btn-primary" type="button" onClick="javascript:document.location='<c:out value="${disableaction}"/>'">
-									Disable
-								</button>
+								<csrf:form style="display: inline-block;" id="disable_${userId}" method="post" action="/lams/admin/user/disable.do"><input type="hidden" name="userId" value="${userId}"/><input type="hidden" name="orgId" value="<c:out value="${orgId}"/>"/><input type="submit" class="btn btn-primary" value="<fmt:message key="admin.disable" />"/></csrf:form>
+								&nbsp;
+
 								<button class="btn btn-default" type="button" onClick="javascript:document.location='<c:out value="${cancel}"/>'">
 									Cancel 
 								</button>
@@ -69,17 +68,15 @@
 								<c:param name="orgId" value="${orgId}" />
 							</c:url>
 							<div class="pull-right">
-								<button class="btn btn-default" type="button" onClick="javascript:document.location='<c:out value="${deleteaction}"/>'">
-									Delete
-								</button>
+								<csrf:form style="display: inline-block;" id="delete_${userId}" method="post" action="delete.do"><input type="hidden" name="userId" value="${userId}"/><input type="hidden" name="orgId" value="${orgId}"/><button type="submit" class="btn btn-danger"><fmt:message key="admin.delete" /></button></csrf:form>
+
 								<button class="btn btn-default" type="button" onClick="javascript:document.location='<c:out value="${cancel}"/>'">
 									Cancel
 								</button>
 							</div>
 						</div>
 					</div>
 				</c:if>
-		</form>
 				
 	<div id="footer"/>
 	</lams:Page>
Index: lams_admin/web/user.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r002370657c7bc0bf87eef9c223e1778f74483413
--- lams_admin/web/user.jsp	(.../user.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/user.jsp	(.../user.jsp)	(revision 002370657c7bc0bf87eef9c223e1778f74483413)
@@ -163,8 +163,8 @@
 <body class="stripes">
 	<c:set var="title">${title}: <fmt:message key="admin.user.edit"/></c:set>
 	<lams:Page type="admin" title="${title}" formID="userForm">
-	
-			<form:form id="userForm" action="../usersave/saveUserDetails.do" modelAttribute="userForm" method="post">
+	<c:set var="csrfToken"><csrf:token/></c:set>
+	<form:form id="userForm" action="../usersave/saveUserDetails.do?${csrfToken}" modelAttribute="userForm" method="post">
 				<form:hidden path="orgId" />
 				<form:hidden path="userId" />
 
@@ -582,4 +582,4 @@
 
 	</lams:Page>
 </body>
-</lams:html>
\ No newline at end of file
+</lams:html>
Index: lams_admin/web/usersearchlist.jsp
===================================================================
diff -u -r37bb2ae017713b44cdfd6a55cfceca28c3efab02 -r002370657c7bc0bf87eef9c223e1778f74483413
--- lams_admin/web/usersearchlist.jsp	(.../usersearchlist.jsp)	(revision 37bb2ae017713b44cdfd6a55cfceca28c3efab02)
+++ lams_admin/web/usersearchlist.jsp	(.../usersearchlist.jsp)	(revision 002370657c7bc0bf87eef9c223e1778f74483413)
@@ -91,13 +91,9 @@
 								rows += '</td>';
 								
 								rows += '<td>';
-								rows += 	'<a title="<fmt:message key="admin.user.delete"/>" href="<lams:LAMSURL/>admin/user/remove.do?userId=' + orgData["userId"] + '">';
-								rows += 		'<button type="button" class="btn btn-danger btn-xs"><i class="fa fa-trash"/> <span class="hidden-xs hidden-sm"><fmt:message key="admin.user.delete"/></span></button>';
-								rows += 	'</a>';
+								rows +=		'<form style="display: inline-block;" id="delete_' + orgData["userId"] +'" method="post" action="/lams/admin/user/remove.do"><input type="hidden" name="userId" value="' + orgData["userId"] + '"/><input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/><button class="btn btn-danger btn-xs" type="submit"><i class="fa fa-trash"/> <span class="hidden-xs hidden-sm"><fmt:message key="admin.user.delete"/></span></button></form>';
 								rows += 	'&nbsp;';
-								rows += 	'<a title="<fmt:message key="admin.edit"/>" href="<lams:LAMSURL/>admin/user/edit.do?userId=' + orgData["userId"] + '">';
-								rows += 		'<button type="button" class="btn btn-primary btn-xs"><i class="fa fa-pencil"/> <span class="hidden-xs hidden-sm"><fmt:message key="admin.edit"/></span></button>';
-								rows += 	'</a>';
+								rows +=     '<form style="display: inline-block;" id="delete_' + orgData["userId"] +'" method="post" action="/lams/admin/user/edit.do"><input type="hidden" name="userId" value="' + orgData["userId"] + '"/><input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/><button class="btn btn-primary btn-xs" type="submit"><i class="fa fa-pencil"/> <span class="hidden-xs hidden-sm"><fmt:message key="admin.edit"/></span></button></form>';
 								rows += 	'&nbsp;';
 								rows += 	'<a title="<fmt:message key="label.login.as"/>" href="<lams:LAMSURL/>loginas.do?login=' + orgData["login"] + '">';
 								rows += 		'<button type="button" class="btn btn-primary btn-xs"><i class="fa fa-sign-in"/><span class="hidden-xs hidden-sm"> <fmt:message key="label.login.as"/></span></button>';
@@ -179,4 +175,4 @@
 	</lams:Page>
 
 </body>
-</lams:html>
\ No newline at end of file
+</lams:html>
Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -r0933451e694b19886dd20e2962fc984e997dbf6e -r002370657c7bc0bf87eef9c223e1778f74483413
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 0933451e694b19886dd20e2962fc984e997dbf6e)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 002370657c7bc0bf87eef9c223e1778f74483413)
@@ -27,6 +27,11 @@
 org.owasp.csrfguard.protected.adminThemeSave=/lams/admin/themeManagement/addOrEditTheme.do
 org.owasp.csrfguard.protected.adminThemeRemove=/lams/admin/themeManagement/removeTheme.do
 org.owasp.csrfguard.protected.adminSessionManagementDelete=/lams/admin/sessionmaintain/delete.do
+org.owasp.csrfguard.protected.adminUserDisable=/lams/admin/user/disable.do
+org.owasp.csrfguard.protected.adminUserEdit=/lams/admin/user/edit.do
+org.owasp.csrfguard.protected.adminUserRemove=/lams/admin/user/remove.do
+org.owasp.csrfguard.protected.adminUserDelete=/lams/admin/user/delete.do
+org.owasp.csrfguard.protected.adminUserSaveDetails=/lams/admin/usersave/saveUserDetails.do
 
 org.owasp.csrfguard.protected.centralSaveUserProfile=/lams/saveprofile.do
 org.owasp.csrfguard.protected.centralOutcomeSave=/lams/outcome/outcomeSave.do