## Problem Statement The current page rule system has a fundamental flaw with path boundary matching that affects security and usability, particularly for departmental access control. ### Current Issue: The official Wiki.js documentation recommends using "Path Starts With" for departmental access control: > "For each group, add a Page Rule with access to path starting with... a specific subfolder (e.g. /accounting, /marketing, etc.)" However, "Path Starts With" performs literal string prefix matching, which creates false positive matches : /dev incorrectly matches /devops , /dev1 , /development-old /accounting incorrectly matches /accounting-backup , /accounting2024 /marketing incorrectly matches /marketing-new , /marketing-old ### Security Implications: This breaks the principle of least privilege and path isolation. Users gain unintended access to paths they shouldn't see, potentially exposing sensitive information across different departments or teams. ### Current Workaround: The only solution is to use "Path Matches Regex" with patterns like /dev(/|$) , but this: Requires regex knowledge from administrators Is error-prone and intimidating for non-technical users Contradicts the official documentation's recommendations ## Requested Solution Add a new page rule option: "Path and Children" ### Behaviour: Matches the exact specified path AND all its child paths /dev (exact match) /dev/page1 (child match) /dev/subfolder/page2 (nested child match) /devops (not matched) /development (not matched) ### Benefits: Intuitive : Matches expected behaviour for folder-like access control Secure : Proper path boundary isolation User-friendly : No regex knowledge required Consistent : Aligns with how file system permissions work Scalable : Perfect for departmental/team wikis ## Alternative Solutions If adding a new option isn't feasible: Fix "Path Starts With" : Make it boundary-aware by default Update Documentation : Change official examples to recommend regex patterns Add Warning : Alert administrators about boundary matching issues ## Use Case Examples Scenario : Company with departments Dev, DevOps, and Marketing Current Problem : Dev group with "Path Starts With /dev " Dev users can accidentally access /devops content Violates departmental content isolation With "Path and Children" : Dev group: "Path and Children /dev " → Access only /dev/* DevOps group: "Path and Children /devops " → Access only /devops/* Marketing group: "Path and Children /marketing " → Access only /marketing/* Perfect isolation achieved ## Implementation Notes The logic already exists in the current regex workaround /path(/|$) . This feature would essentially provide a UI-friendly wrapper around that pattern. ## Expected Impact Better Security : Proper path isolation by default Improved UX : Administrators can set up departmental access without regex knowledge Documentation Alignment : Official examples would actually work as intended Reduced Support : Fewer confused users asking why they see unintended content ## Environment Wiki.js version : 2.5+ (affects all versions with page rules) Impact : All administrators setting up multi-team/departmental wikis Frequency : Common use case based on official documentation examples --- This feature request addresses a fundamental usability and security issue with the current page rules system while maintaining backward compatibility.