Improve doc

doc/sources/admin/impersonation.rst

@@ -51,17 +51,19 @@ protected from being impersonated.
 
 
 
-
 .. attention::
 
     Both spoofed and real session attributes can be used to
     set access rules, groups or macros.
 
-    By example : ``$real_uid eq 'dwho'`` or ``$real_groups =~ /\bsu\b/``
+    By example : ``$real_uid && $real_uid eq 'dwho'`` or ``$real_groups && $real_groups =~ /\bsu\b/``
 
     Keep in mind that real session is computed first. Afterward, if access
     is granted, impersonated session is computed with real and spoofed
     session attributes if Impersonation is allowed.
+    So, 'real_' attributes are computed by second authentication process.
+    To avoid Perl warnings, you have to prefix regex with ``$real_var &&``.
+
 
 
 .. attention::

doc/sources/admin/security.rst

@@ -354,7 +354,7 @@ Go in Manager, ``General parameters`` » ``Advanced parameters`` »
     to disable CSRF token by setting a special rule based on callers IP
     address like this :
 
-    requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
+    requireToken => $env->{REMOTE_ADDR} && $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
 
 .. danger::