This was a temporary hack to workaround issues with sessions getting mixed up at the time of the rails 3.1 upgrade, but logs indicate that whatever the original problem was it is no longer occurring.
By restricting role changes to POST requests, which they should be anyway, we get all the rails CSRF protection for free.
