zopefoundation · icemac · May 14, 2020 · May 14, 2020 · May 14, 2020 · May 14, 2020
diff --git a/docs/zdgbook/Security.rst b/docs/zdgbook/Security.rst
@@ -38,8 +38,14 @@ determine whether to allow or deny access to a visitor for a
 particular object.  For example, when a user visits the root
 ``index_html`` object of your site via HTTP, the security policy is
 consulted by ``ZPublisher`` to determine whether the user has
-permission to view the ``index_html`` object itself.  For more
-information on this topic, see the chapter on :doc:`ObjectPublishing`.
+permission to view the ``index_html`` object itself.
+
+On top of that, publisher also defines other rules to determine which
+objects can be published. The most important of these is that Objects
+which are published must have a docstring.
+
+For more information on this topic, see the chapter on 
+:doc:`ObjectPublishing`.
 
 
 How The Security Policy Relates to Restricted Code
@@ -129,6 +135,10 @@ In short, the default Zope security policy ensures the following:
   user does not possess a role that has been granted the permission
   in question, access is denied.
 
+- not directly part of the security policy, but also important is the
+  rule, that objects can only be published if they have a doc string. 
+
+
 As we delve further into Zope security within this chapter, we'll see
 exactly what it means to associate security information with an
 object.