All views in Review Board that handle HTTP POST requests are now

decorated with a @csrf_protect decorator, and have matching

{% csrf_token %} tags in the templates. This adds a layer of protection

we didn't have before.
Like the Djblets change, this doesn't affect the API, but does handle

all the user-facing and admin-facing views that accept HTTP POST.

Did the same testing I did with Djblets.
Tested each view in Review Board, with the {% csrf_token %} tags removed.

Saw the CSRF validation failures. Added back the tags, and was able to POST.