doc/3: couple of clarifications

  - deny rules only apply to "W" ops
  - be more specific about what allows "R" to pass

1 files changed, 5 insertions, 3 deletions

diff --git a/doc/3-faq-tips-etc.mkd b/doc/3-faq-tips-etc.mkd
index 8b82086..4f305d0 100644
--- a/doc/3-faq-tips-etc.mkd
+++ b/doc/3-faq-tips-etc.mkd
@@ -217,8 +217,8 @@ Note that at this point no git program has entered the picture, and we have no
 way of knowing what **ref** (branch, tag, etc) he is trying to update, even if
 it is a "write" operation.
 
-For a "read" operation to pass this check, the username (or `@all`) must be
-mentioned on some line in the config for this repo.
+For a "read" operation to pass this check, the username (or `@all`) must have
+read permission (i.e., R, RW, or RW+) on at least one branch of the repo.
 
 For a "write" operation, there is an additional restriction: lines specifying
 only `R` (read access) don't count.  *The user must have write access to
@@ -501,7 +501,9 @@ that code path to better use :-)
 ***IMPORTANT CAVEAT: if you use deny rules, the order of the rules also makes
 a difference, where earlier it did not.  Please review your ruleset carefully
 or test it.  In particular, do not use `@all` in a deny rule -- it won't work
-as you might expect***.
+as you might expect***.  Also, deny rules are only processed in the second
+level checks (see "two levels of access rights checking" above), which means
+they only apply to write operations.
 
 Take a look at the following snippet, which *seems* to say that "bruce" can
 write versioned tags (anything containing `refs/tags/v[0-9]`), but the other