From 2f1209aef6ef1335dc778730572d72880f40fb69 Mon Sep 17 00:00:00 2001
From: Chris McDonough <chrism@agendaless.com>
Date: Sat, 6 Sep 2008 00:07:46 +0000
Subject: Info about debugging security failures.

---
 docs/narr/security.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'docs/narr')

diff --git a/docs/narr/security.rst b/docs/narr/security.rst
index fb1ad3ee7..fa8a5d032 100644
--- a/docs/narr/security.rst
+++ b/docs/narr/security.rst
@@ -144,3 +144,17 @@ but otherwise acts the same as your model object.
 You can of course supply ``__name__`` and ``__parent__`` attributes
 explicitly on all of your model objects, and no location proxying will
 be performed.
+
+Debugging Security Failures
+---------------------------
+
+If your application is allowing or denying access inappropriately (in
+your judgment), start your application under a shell using the
+``BFG_SECURITY_DEBUG`` environment variable.  For example::
+
+  BFG_SECURITY_DEBUG=1 bin/paster serve myproject.ini
+
+When any authorization takes place, a message will be logged to the
+console about what ACE in which ACL permitted or denied the
+authorization based on authentication information.
+
-- 
cgit v1.2.3