Feature Request: Add "Path and Children" option for proper path boundary matching in page rules
K
Kezie Iroha
##
Problem Statement
The current page rule system has a fundamental flaw with path boundary matching that affects security and usability, particularly for departmental access control.
###
Current Issue:
The official Wiki.js documentation recommends using "Path Starts With" for departmental access control:
> "For each group, add a Page Rule with access to path starting with... a specific subfolder (e.g. /accounting, /marketing, etc.)"
However, "Path Starts With" performs literal string prefix matching, which creates
false positive matches
:- /devincorrectly matches/devops,/dev1,/development-old
- /accountingincorrectly matches/accounting-backup,/accounting2024
- /marketingincorrectly matches/marketing-new,/marketing-old
###
Security Implications:
This breaks the principle of least privilege and path isolation. Users gain unintended access to paths they shouldn't see, potentially exposing sensitive information across different departments or teams.
###
Current Workaround:
The only solution is to use "Path Matches Regex" with patterns like
/dev(/|$)
, but this:- Requires regex knowledge from administrators
- Is error-prone and intimidating for non-technical users
- Contradicts the official documentation's recommendations
##
Requested Solution
Add a new page rule option:
"Path and Children"
###
Behaviour:
- Matches the exact specified path AND all its child paths
- /devwould match:
-
/dev
(exact match)-
/dev/page1
(child)-
/dev/subfolder/page2
(nested child)-
/devops
(different path but matched anyway)-
/development
(different path but matched anyway)###
Benefits:
- Intuitive: Matches expected behaviour for folder-like access control
- Secure: Proper path boundary isolation
- User-friendly: No regex knowledge required
- Consistent: Aligns with how file system permissions work
- Scalable: Perfect for departmental/team wikis
##
Alternative Solutions
If adding a new option isn't feasible:
- Fix "Path Starts With": Make it boundary-aware by default
- Update Documentation: Change official examples to recommend regex patterns
- Add Warning: Alert administrators about boundary matching issues
##
Use Case Examples
Scenario
: Company with departments Dev, DevOps, and MarketingCurrent Problem
:- Dev group with "Path Starts With /dev"
- Dev users can accidentally access /devopscontent
- Violates departmental content isolation
With "Path and Children"
:- Dev group: "Path and Children /dev" → Access only/dev/*
- DevOps group: "Path and Children /devops" → Access only/devops/*
- Marketing group: "Path and Children /marketing" → Access only/marketing/*
- Perfect isolation achieved
##
Implementation Notes
The logic already exists in the current regex workaround
/path(/|$)
. This feature would essentially provide a UI-friendly wrapper around that pattern.##
Expected Impact
- Better Security: Proper path isolation by default
- Improved UX: Administrators can set up departmental access without regex knowledge
- Documentation Alignment: Official examples would actually work as intended
- Reduced Support: Fewer confused users asking why they see unintended content
##
Environment
- Wiki.js version: 2.5+ (affects all versions with page rules)
- Impact: All administrators setting up multi-team/departmental wikis
- Frequency: Common use case based on official documentation examples
---
This feature request addresses a fundamental usability and security issue with the current page rules system while maintaining backward compatibility.
K
Kezie Iroha
Correction:
## Requested Solution
Add a new page rule option: "Path and Children"
### Behaviour:
Matches the exact specified path AND all its child paths
/dev would match:
- /dev (exact match)
- /dev/page1 (child match)
- /dev/subfolder/page2 (nested child match)
- /devops (not matched)
- /development (not matched)