diff --git a/docs/zdgbook/Security.rst b/docs/zdgbook/Security.rst
index affeaed2d5..cdb82eb4d7 100644
--- a/docs/zdgbook/Security.rst
+++ b/docs/zdgbook/Security.rst
@@ -38,8 +38,14 @@ determine whether to allow or deny access to a visitor for a
 particular object.  For example, when a user visits the root
 ``index_html`` object of your site via HTTP, the security policy is
 consulted by ``ZPublisher`` to determine whether the user has
-permission to view the ``index_html`` object itself.  For more
-information on this topic, see the chapter on :doc:`ObjectPublishing`.
+permission to view the ``index_html`` object itself.
+
+On top of that, the publisher also defines other rules to determine
+which objects can be published. The most important of these is that 
+objects which are published must have a docstring.
+
+For more information on this topic, see the chapter on 
+:doc:`ObjectPublishing`.
 
 
 How The Security Policy Relates to Restricted Code
@@ -129,6 +135,10 @@ In short, the default Zope security policy ensures the following:
   user does not possess a role that has been granted the permission
   in question, access is denied.
 
+- objects can only be published if they have a doc string. This
+  restriction exists outside the security policy itself. 
+
+
 As we delve further into Zope security within this chapter, we'll see
 exactly what it means to associate security information with an
 object.