[Flow] The confusing policy role stuff

[Jan Greth]

Hey Aimo,

thanks for your reply. I'll give it a try.

> First of all: make everything that should be protected a resource.
> E.g.
>
> resources:
>    methods:
>      'Foo': 'method(Vendor\Package\Controller\CoffeeBeanController->(index|show)Action())'
>      'Bar': 'method(Vendor\Package\Controller\CoffeeBeanController->(new|create|edit|update|delete)Action())'
>

Ok, just to clarify my confused mind: an action / controller / etc NOT 
mentioned under "resources: methods:" is NOT protected and allways 
callable. Is that right?

> This will be enough the prevent not-logged-in-users from calling it.
> If not, you have a typo or some other misconfiguration!
>
> Then, as you already noted, there's two types of persons allowed to access something:
>
> roles:
>    DefaultUser: []
>    AdvancedUser: ['User']
>
> Watch out for indentation -> two spaces ist the only allowed indentation - nothing else!

OK, i'll double check!

> Wire users and resources via the ACLs
>
> acls:
>    ' DefaultUser ':
>      methods:
>        'Foo':       GRANT
>    ' AdvancedUser ':
>      methods:
>        'Bar':    GRANT

Are the singlequotes (" ' ") around DefaultUser, AdvancedUser, Foo and 
Bar needed? couldn't find a hint in the Docs...

> There's two more things:
> 1) don't secure the logout action! If you secure the logout action and some not logged in user calls it, it might redirect the user to the login form. If he then logs in, he might be redirected back to the logout action (because that's where he came from), and then... well...

Ok, I'll check that, too.

> 2) you say "The create and update Actions are called by the Controller". Either it's just not an action, or the controller won't call it himself, OR i really didn't get your usecase.

Mh... I think I got a worm in my mind. Of course they're also called by 
a user. I ment new outputs a Form, this calls create which creates the 
Object... The completly noobish standard way... :)

> Greetings,
>
> Aimo

And as allways when diggin' into new things during the last minutes ther 
appeared some further questions:

1. Are there / which options in Settings.yaml have effects on the 
Settings made in Policy.yaml?

2. Can a Action be mentioned more than one time in resources:methods: ?
E.g.:
One: 'method(Vendor\Package\Controller\.*Controller->index.*())'
Two: 'method(Vendor\Package\Controller\AbcController->.*Action())'
What happens to AbcController->indexAction() if i 'GRANT' One and 'DENY' 
Two?

3. Assuming i have the roles User: [] and Superuser: ['User']
User should be denied to access a method, Superuser should be able to 
call. How would i write that?

4. Is it necessary/good/not good to Configure Firewall AND ACLs? Under 
which circumstances would you do what?

I hope you can help me with this again. Nice evening and greetings from 
Bavaria,
Jan