It's clear now why CSRF didn't work on these pages: the csrf_token
templatetag requires rendering the template with a RequestContext.
I went through all code using render_to_response() without
RequestContext/NavContext and made sure that they don't process POST
data. I skimmed through the grep last time, but apparently I wasn't
very attentive.
I also permitted POST requests to /search/ again. These aren't sent by
the site itself, but it was allowed before, maybe for a reason.
api_varnish_purge still needs the @ssl_required fix -- I will submit that later.
Regards,
Marti