Update security.rst

book/security.rst

@@ -938,7 +938,7 @@ will match any ``ip``, ``host`` or ``method``:
 .....................
 
 Once Symfony has decided which ``access_control`` entry matches (if any),
-it then *enforces* access restrictions based on the ``roles`` and ``requires_channel``
+it then *enforces* access restrictions based on the ``roles``, ``allow_if`` and ``requires_channel``
 options:
 
 * ``role`` If the user does not have the given role(s), then access is denied