# ACL in this system is defined as follows:
#
#  - Roles:
#     Roles define a group of user. like Author, Admin, Guest etc.
#     Each role can inherit other roles with the "inherit" key.
#     Each role can gain access to a zone (explained later) by the
#     "allowed-zones" key. Per default a role is denied access to all zones.
#
#  - Resources:
#     Resources maps directly to controller names. If a controller is not
#     under the default module. <module>/<controller> format is used instead.
#
#     A special wildcard "*" character can be used to allow access to all
#     controllers (most likely only useful for non-default modules).
#
#     There a 2 controllers/resources that are a bit special,
#     index and error resources are always accessible by everyone (e.g. they
#     are not part of the ACL).
#
#  - Access levels.
#     These are not used in this system. a hardcoded "All" level is used.
#
# Zones
#
#   Zones defines as 1 or more resources. for example an "backend" zone can
#   have 2 controllers/resources (site-config, user-manager)

acl:
 roles:
  guest:
    allowed-zones: public
    description: Non logged in users
  user:
    inherits: guest
    allowed-zones: user
    description: Logged in users
  admin:
    inherits: user
    description: Administrators
    allowed-zones: backend

 zones:
  public:   [ auth, api ]
  user:     [ user, callback ]
  backend:  backend/*