controllers: refactor rate limits.

Refactor controllers so that endpoint rate limits are declared locally,
with the endpoint, instead of globally, in a single method in ApplicationController.

This way an endpoint's rate limit is declared in the same file as the
endpoint itself.

This is so we can add fine-grained rate limits for certain GET requests.
Before rate limits were only for non-GET requests.

app/controllers/users_controller.rb

@@ -1,6 +1,8 @@
 class UsersController < ApplicationController
   respond_to :html, :xml, :json
 
+  rate_limit :create, rate: 1.0/5.minutes, burst: 10
+
   def new
     @user = authorize User.new
     @user.email_address = EmailAddress.new