All views in Djblets that handle HTTP POST requests are now decorated

with a @csrf_protect decorator, and have matching {% csrf_token %} tags

in the templates. This adds a layer of protection we didn't have before.
The API is unaffected, as adding CSRF protection to APIs sort of defeats

the purpose of APIs. There are other protections we may want to make

here, but that's a separate task.

Tested each view in Review Board, with the {% csrf_token %} tags removed.

Saw the CSRF validation failures. Added back the tags, and was able to POST.