What I am trying to say is lets say you have a controller mapped like this
and this handles rendering the form for create.
and you also have a method like this
and this handles the save action for the create user form.
If you want to both of these to be access denied you want to change this
which only restricts the second to this
which will restrict it regardless of the HTTP method used.
Also another thing to be aware of when you are working on this is that when defining patterns
remember that they are evaluated in the order they are defined, therefore more specific patterns should always be higher in the list than less specific patterns. I don't know if this is causing you issues since you just posted the one intercept-url but it is something you should
keep in mind.