The affected methods are:

AddOrRemoveGadgetSpecAction, doAdd
AddOrRemoveGadgetSpecAction, doRemove
AddOrRemoveGadgetFeedAction, doAddGadgetFeed
AddOrRemoveGadgetFeedAction, doRemoveGadgetFeed
WhitelistAdminAction, doAddWhitelistUrl
WhitelistAdminAction, doRemoveWhitelistUrl
RevokeOAuthTokensAction, execute

I'm proposing to leave the RevokeOAuthTokensAction unprotected, as the impact of a successful attack seems low, the difficulty of attack seems high (requires a token to be known), and it's a little more inconvenient to fix (I believe the JS in the atlassian-oauth repository would need to be changed.)