Role based access control is very simple: every user has a list of roles,
which that user is allowed to assume, and every restricted part of the app
makes an assertion about the necessary roles.

With 'assert_user_roles', if the user is a member in *all* of the required
roles access is granted. Otherwise, access is denied. With
'assert_any_user_role' it is enough that the user is a member in *one*
role.

There are alternative approaches to do this on a per action basis, see the
Catalyst::ActionRole::ACL manpage.

For example, if you have a CRUD application, for every mutating action you
probably want to check that the user is allowed to edit. To do this, create
an editor role, and add that role to every user who is allowed to edit.

sub edit : Local {
my ( $self, $c ) = @_;
$c->assert_user_roles( qw/editor/ );
$c->model("TheModel")->make_changes();
}

When this plugin checks the roles of a user it will first see if the user
supports the self check method.

When this is not supported the list of roles is extracted from the user
using the 'roles' method.

When this is supported, the 'check_roles' method will be used to delegate
the role check to the user class. Classes like the one provided with the
iCatalyst::Authentication::Store::DBIx::Class manpage optimize the check
this way.