Protecting actions from user

Hi vapor,
even i faced same problem, but i designed my project in this way, i
don't whether it suites your application,

in my application i don't have any guest user and for each user the
access to page is restricted, except for
some default pages like login , logout etc..
The restriction is done with help of before_filter, so before any
thing gets executed it checks whether the user is logged in and has
particular action/actions
associated as part of his role. And speaking about create method, as
Shai mentioned all your actions which changes the state of the
application should
never be submitted through get, and i guess you will be having proper
validation before serializing any thing.

Hope it helps,
Good Luck