K
Kezie Iroha
##
Problem Statement
The current page rule system has a fundamental flaw with path boundary matching that affects security and usability, particularly for departmental access control.
###
Current Issue:
The official Wiki.js documentation recommends using "Path Starts With" for departmental access control:
> "For each group, add a Page Rule with access to path starting with... a specific subfolder (e.g. /accounting, /marketing, etc.)"
However, "Path Starts With" performs literal string prefix matching, which creates
false positive matches
:
  • /dev
    incorrectly matches
    /devops
    ,
    /dev1
    ,
    /development-old
  • /accounting
    incorrectly matches
    /accounting-backup
    ,
    /accounting2024
  • /marketing
    incorrectly matches
    /marketing-new
    ,
    /marketing-old
###
Security Implications:
This breaks the principle of least privilege and path isolation. Users gain unintended access to paths they shouldn't see, potentially exposing sensitive information across different departments or teams.
###
Current Workaround:
The only solution is to use "Path Matches Regex" with patterns like
/dev(/|$)
, but this:
  • Requires regex knowledge from administrators
  • Is error-prone and intimidating for non-technical users
  • Contradicts the official documentation's recommendations
##
Requested Solution
Add a new page rule option:
"Path and Children"
###
Behaviour:
  • Matches the exact specified path AND all its child paths
  • /dev (exact match)
  • /dev/page1 (child match)
  • /dev/subfolder/page2 (nested child match)
  • /devops (not matched)
  • /development (not matched)
###
Benefits:
  1. Intuitive
    : Matches expected behaviour for folder-like access control
  2. Secure
    : Proper path boundary isolation
  3. User-friendly
    : No regex knowledge required
  4. Consistent
    : Aligns with how file system permissions work
  5. Scalable
    : Perfect for departmental/team wikis
##
Alternative Solutions
If adding a new option isn't feasible:
  1. Fix "Path Starts With"
    : Make it boundary-aware by default
  2. Update Documentation
    : Change official examples to recommend regex patterns
  3. Add Warning
    : Alert administrators about boundary matching issues
##
Use Case Examples
Scenario
: Company with departments Dev, DevOps, and Marketing
Current Problem
:
  • Dev group with "Path Starts With
    /dev
    "
  • Dev users can accidentally access
    /devops
    content
  • Violates departmental content isolation
With "Path and Children"
:
  • Dev group: "Path and Children
    /dev
    " → Access only
    /dev/*
  • DevOps group: "Path and Children
    /devops
    " → Access only
    /devops/*
  • Marketing group: "Path and Children
    /marketing
    " → Access only
    /marketing/*
  • Perfect isolation achieved
##
Implementation Notes
The logic already exists in the current regex workaround
/path(/|$)
. This feature would essentially provide a UI-friendly wrapper around that pattern.
##
Expected Impact
  • Better Security
    : Proper path isolation by default
  • Improved UX
    : Administrators can set up departmental access without regex knowledge
  • Documentation Alignment
    : Official examples would actually work as intended
  • Reduced Support
    : Fewer confused users asking why they see unintended content
##
Environment
  • Wiki.js version
    : 2.5+ (affects all versions with page rules)
  • Impact
    : All administrators setting up multi-team/departmental wikis
  • Frequency
    : Common use case based on official documentation examples
---
This feature request addresses a fundamental usability and security issue with the current page rules system while maintaining backward compatibility.