diff --git a/doc/4-wildcard-repositories.mkd b/doc/4-wildcard-repositories.mkd
index 07cc9a8..a4c1f75 100644
--- a/doc/4-wildcard-repositories.mkd
+++ b/doc/4-wildcard-repositories.mkd
@@ -134,23 +134,23 @@ cumbersome for non-secret environments.
 Create a small text file that contains the permissions you desire:
 
     $ cat > myperms
-    R user1 user3
-    RW user2
+    R u5
+    RW u6
     (hit ctrl-d here)
 
 ...and use the new "getperms" command to set permissions for your repo:
 
-    $ ssh git@server setperms XXX/XXX/XXX < myperms
+    $ ssh git@server setperms assignments/u4/a12 < myperms
     New perms are:
-    R user1 user3
-    RW user2
+    R u5
+    RW u6
 
 'setperms' will helpfully print what the new permissions are but you can also
 use 'getperms' to check:
 
-    $ ssh git@server getperms XXX/XXX/XXX
-    R user1 user3
-    RW user2
+    $ ssh git@server getperms assignments/u4/a12
+    R u5
+    RW u6
 
 The following points are important:
 
@@ -172,11 +172,6 @@ This still works, except the format is a little more compressed to accommodate
 a new column (at the start) for "C" permissions, which indicate that you are
 allowed to *create* repos matching that pattern.
 
-In addition, there's a second level of reporting now, which is used to find
-what *actual* repos are available when you supply a pattern.
-
-    XXX to be done XXX
-
 ### Other issues and discussion
 
   * *what if the repo name being pushed matches more than one pattern*?
diff --git a/src/gitolite.pm b/src/gitolite.pm
index 4507f54..41c45b1 100644
--- a/src/gitolite.pm
+++ b/src/gitolite.pm
@@ -156,8 +156,8 @@ sub parse_acl
 
     # void $r if same as $w (otherwise "readers" overrides "writers"; this is
     # the same problem that needed a sort sub for the Dumper in the compile
-    # script, but localised to just $readers and $writers)
-    $r = "" if $r eq $w;
+    # script, but in this case it's limited to just $readers and $writers)
+    $r = "NOBODY" if $r eq $w;
 
     # set up the variables for a parse to interpolate stuff from the dumped
     # hash (remember the selective conversion of single to double quotes?).
@@ -209,5 +209,35 @@ sub report_basic
         print "$perm\t$r\n\r" if $perm =~ /\S/;
     }
 }
-1;
 
+# ----------------------------------------------------------------------------
+#       print a report of $user's basic permissions
+# ----------------------------------------------------------------------------
+
+sub expand_wild
+{
+    my($GL_CONF_COMPILED, $repo_base_abs, $repo, $user) = @_;
+
+    # display matching repos (from *all* the repos in the system) that $user
+    # has at least "R" access to
+
+    chdir("$repo_base_abs") or die "chdir $repo_base_abs failed: $!\n";
+    for my $actual_repo (`find . -type d -name "*.git"|sort`) {
+        chomp ($actual_repo);
+        $actual_repo =~ s/^\.\///;
+        $actual_repo =~ s/\.git$//;
+        # it has to match the pattern being expanded
+        next unless $actual_repo =~ /^$repo$/;
+
+        # find the creater and subsitute in repos
+        my ($creater, $read, $write) = &repo_rights($repo_base_abs, $actual_repo, $user);
+        # get access list with this
+        &parse_acl($GL_CONF_COMPILED, "", $creater, $read || "NOBODY", $write || "NOBODY");
+
+        # you need a minimum of "R" access to the regex we're talking about
+        next unless $repos{$repo}{R}{'@all'} or $repos{$repo}{R}{$user};
+        print STDERR "($creater)\t$actual_repo\n";
+    }
+}
+
+1;
diff --git a/src/gl-auth-command b/src/gl-auth-command
index d74b20d..cc4b5f9 100755
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@@ -80,7 +80,7 @@ if ($cmd =~ $CUSTOM_COMMANDS) {
     }
     elsif ($repo !~ $REPONAME_PATT and $verb eq 'expand') {
         # with a wildcard, you can "expand" it to see what repos actually match
-        die "not implemented yet\n";
+        expand_wild($GL_CONF_COMPILED, $repo_base_abs, $repo, $user);
     } else {
         die "$cmd doesn't make sense to me\n";
     }