diff --git a/contrib/adc/get-rights-and-owner.in-perl b/contrib/adc/get-rights-and-owner.in-perl
index defc360..eec88d0 100755
--- a/contrib/adc/get-rights-and-owner.in-perl
+++ b/contrib/adc/get-rights-and-owner.in-perl
@@ -43,3 +43,10 @@ my $ret = check_access($repo, 'refs/heads/foo', 'W', 1);
 #   refs/.*
 # or perhaps this, if you were denied
 #   DENIED by fallthru
+
+# NOTE: do NOT pass "R" as the 3rd argument.  It will seem to work because
+# you're merely testing the permissions in this code, but an *actual* "git
+# fetch" for even a DENIED ref will succeed if the user has read access to at
+# least one branch.  This is because the information on what ref is being read
+# is not made available externally in any useful way (the way the "update"
+# hook gets its arguments when a push happens).
diff --git a/doc/gitolite.conf.mkd b/doc/gitolite.conf.mkd
index a6c2670..663848d 100644
--- a/doc/gitolite.conf.mkd
+++ b/doc/gitolite.conf.mkd
@@ -113,6 +113,8 @@ check.  Much of the complexity applies only to the second level check, so that
 is all we will be discussing here.  This check is done by the update hook, and
 determines whether the push succeeds or fails.
 
+[l2]: http://sitaramc.github.com/gitolite/doc/3-faq-tips-etc.html#_two_levels_of_access_rights_checking
+
 For basic permissions like this, matching is simple.  Gitolite already knows:
 
   * the user