Presumably, either CSRF is happening transparently on all our forms or it needs to be handled explicitly on all of them. Is there a reason the User form is the only form doing something explicit?

The reason this was the way it was is that when custom field ordering is set, the CSRF token needs to be included in that ordering, or else the field is omitted from the render.

keg-elements does the same thing in its __iter__. keg-auth just happened to have a version of that on the User form before the one in keg-elements existed.

That said, having that kind of logic in two places is problematic. And, the keg-elements version is more robust in that it checks the ordering to make sure fields are not accidentally left out. So, I've updated to rely on keg-elements field ordering (effectively removing the special treatment of the CSRF field). There is a small possibility of breakage here. But, the custom ordering is very rarely used in our projects, and very very rarely used in an extensive manner, so I think we'll be fine.