[Flow] The confusing policy role stuff

[Jan Greth]

Hi at all,

I'm a bit confused about the whole roles, resources and acls stuff.

Let's say I have the example CoffeeBean Controller with index, show, 
new, create, edit, update and delete action.

I also have a simple Login Controller with index, authenticate, 
register, create and logout action. The login stuff works fine but now 
i'm wondering about the folllowing things:

Also if i'm not logged in, i can call all(!) actions from all 
Controllers without any problem. How can i fix it?
There should be two groups of Users, so my section of Policy.yaml will 
look like this:

roles:
   User: []
     Advanced: ['User']

A non logged in Person should only be able to call the register and 
index action from the LoginController (authenticate and create is called 
by the Controller itself and logout should only be called by logged in 
Person)

User(s) should be able to call the index and show action of the 
CoffeeBeanController.
Advanced(Users) should be able to use all User actions and additional be 
able to use new, edit and delete Actions. (The create and update Actions 
are called by the Controller)

So: How would you set up the
resources:
   methods:
     ...

and

acls:
   User:
     methods:
   Advanced:
     methods:

Section of the Policy.yaml file? In general: What do I have to do to 
secure my Application, so that nothing but the Login methods can be 
called? Is there any Tutorial except the Documentation. This is quite 
confusing... :(

I would be glad if anyone could give me an example.

So long, a nice evening and good night,
Jan