CSRF verification failed
Further to the post on google groups ( CSRF verification failed in 3.0.2 - https://groups.google.com/forum/#!topic/mayan-edms/ZeBGsvba51w), this bug still appears to be present (in 3.0.3) when accessing the site over HTTPS (in my case, through an nginx reverse proxy, it works OK if connecting directly to http://localhost:8000), django does stricter CSRF checking over HTTPS so I think it's that rather than a reverse proxy issue.
I've narrowed the issue down to the X-Alt-Referer header that's being generated in "partial_navigation.js") (https://gitlab.com/mayan-edms/mayan-edms/blob/master/mayan/apps/appearance/static/appearance/js/partial_navigation.js)
I get a 403 when that is sent, if I remove the header from the POST request via my browser's dev console, I get a 278 status code and the appropriate changes are made.
If I modify the header so that instead of:
X-Alt-Referer: /user/edit/
I use
X-Alt-Referer: https://mysubdomain.example.com/user/edit/
it also works. I have done a quick and dirty workaround by stripping the header at an nginx level with the following line within my server block
proxy_set_header X-Alt-Referer "";
However, this is obviously not ideal and I don't know what it might affect later.