From bfcc88507d8304114cac252a46bb73ff5da83d5c Mon Sep 17 00:00:00 2001
From: Alan Poulain <contact@alanpoulain.eu>
Date: Fri, 19 Nov 2021 11:40:29 +0100
Subject: [PATCH] fix(security): request variable is only available at the
 resource level

---
 core/security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/security.md b/core/security.md
index c1d4aaf0d5e..c22e15a7f2a 100644
--- a/core/security.md
+++ b/core/security.md
@@ -118,7 +118,7 @@ Available variables are:
 
 * `user`: the current logged in object, if any
 * `object`: the current resource, or collection of resources for collection operations
-* `request`: the current request
+* `request` (only at the resource level): the current request
 
 Access control checks in the `security` attribute are always executed before the [denormalization step](serialization.md).
 It means than for `PUT` or `PATCH` requests, `object` doesn't contain the value submitted by the user, but values currently stored in [the persistence layer](data-persisters.md).