Get rid of custom CSRF protection for user role changes

By restricting role changes to POST requests, which they should be
anyway, we get all the rails CSRF protection for free.

app/controllers/user_roles_controller.rb

@@ -8,7 +8,6 @@ class UserRolesController < ApplicationController
   before_filter :require_valid_role
   before_filter :not_in_role, :only => [:grant]
   before_filter :in_role, :only => [:revoke]
-  around_filter :setup_nonce
 
   def grant
     @this_user.roles.create({
@@ -38,22 +37,6 @@ class UserRolesController < ApplicationController
     redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user
   end
 
-  ##
-  # the random nonce here which isn't predictable, making an CSRF 
-  # procedure much, much more difficult. setup the nonce. if the given
-  # nonce matches the session nonce then yield into the actual method.
-  # otherwise, just sets up the nonce for the form.
-  def setup_nonce
-    if params[:nonce] and params[:nonce] == session[:nonce]
-      @nonce = params[:nonce]
-      yield
-    else
-      @nonce = OAuth::Helper.generate_nonce
-      session[:nonce] = @nonce
-      render
-    end
-  end    
-
   ##
   # require that the given role is valid. the role is a URL 
   # parameter, so should always be present.

app/views/user/view.html.erb

@@ -5,9 +5,9 @@
 <% UserRole::ALL_ROLES.each do |role| %>
   <% if @user and @user.administrator? %>
     <% if @this_user.has_role? role %>
-      <%= link_to(image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.revoke.#{role}"), :title => t("user.view.role.revoke.#{role}")), :controller => 'user_roles', :action => 'revoke', :display_name => @this_user.display_name, :role => role) %>
+      <%= link_to image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.revoke.#{role}"), :title => t("user.view.role.revoke.#{role}")), revoke_role_path(:display_name => @this_user.display_name, :role => role), :method => :post, :confirm => t('user_role.revoke.are_you_sure', :name => @this_user.display_name, :role => role) %>
     <% else %>
-      <%= link_to(image_tag("roles/blank_#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.grant.#{role}"), :title => t("user.view.role.grant.#{role}")), :controller => 'user_roles', :action => 'grant', :display_name => @this_user.display_name, :role => role) %>
+      <%= link_to image_tag("roles/blank_#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.grant.#{role}"), :title => t("user.view.role.grant.#{role}")), grant_role_path(:display_name => @this_user.display_name, :role => role), :method => :post, :confirm => t('user_role.grant.are_you_sure', :name => @this_user.display_name, :role => role) %>
     <% end %>
   <% elsif @this_user.has_role? role %>
     <%= image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.#{role}"), :title => t("user.view.role.#{role}")) %>

app/views/user_roles/grant.html.erb

@@ -1,7 +0,0 @@
-<%= form_tag request.fullpath do %>
-<%= hidden_field_tag 'nonce', @nonce %>
-<% @title = t('user_role.grant.heading') %>
-<h1><%= t('user_role.grant.heading') %></h1>
-<p><%= t('user_role.grant.are_you_sure', :name => params[:display_name], :role => params[:role]) %></p>
-<p><%= submit_tag t('user_role.grant.confirm') %></p>
-<% end %>

app/views/user_roles/revoke.html.erb

@@ -1,7 +0,0 @@
-<%= form_tag request.fullpath do %>
-<%= hidden_field_tag 'nonce', @nonce %>
-<% @title = t('user_role.revoke.heading') %>
-<h1><%= t('user_role.revoke.heading') %></h1>
-<p><%= t('user_role.revoke.are_you_sure', :name => params[:display_name], :role => params[:role]) %></p>
-<p><%= submit_tag t'user_role.revoke.confirm' %></p>
-<% end %>