Explicit ALLOW and DENY for Guards (in particular, permissions guards)

[claytondaley]

In retrospect, it's clear in the documentation that:

[] = DENY
['*'] = ALLOW

This is intuitive for standard "role" guards since they're "require any" operators. The star says all roles match (and the guest_role means we always have a role). Unfortunately, the syntax is confusing for permissions guards. Since permission are a "require all" guard, it seems intuitive for [] to mean that no permissions are required (e.g. allow).

I realize there's no chance that this will change in the code. My suggestion instead is to change the documentation to create and explicitly use GuardInterface::ALWAYS_ALLOW and GuardInterface::ALWAYS_DENY for these examples.