Fix page tree to respect TAG and REGEX permission rules, improve specificity ranking#8013
Open
lucaci32u4 wants to merge 1 commit into
Open
Fix page tree to respect TAG and REGEX permission rules, improve specificity ranking#8013lucaci32u4 wants to merge 1 commit into
lucaci32u4 wants to merge 1 commit into
Conversation
Squashed commit of the following, omitting all environment-related setups: commit e0c04f8 Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Sat May 16 02:36:04 2026 +0300 Fix forking release again commit 4b21b82 Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Sat May 16 02:19:46 2026 +0300 Fix forking release commit cac209b Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Sat May 16 01:57:19 2026 +0300 Remove windows build commit b3e6b37 Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Sat May 16 01:42:21 2026 +0300 Fix page tree responding to all permissions rules commit 7606393 Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Tue May 12 05:12:42 2026 +0300 Fix build process and improve permission handling commit 1b6dbed Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Tue May 12 05:00:51 2026 +0300 Add explanation of fork reason to README commit a7a7460 Merge: 3d63b55 67d69fe Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Tue May 12 04:54:13 2026 +0300 Merge branch 'feat-permissions' commit 67d69fe Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Tue May 12 04:53:39 2026 +0300 Update inline hint about permission evaluation commit 64d20cb Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Tue May 12 04:04:40 2026 +0300 Rework permissions path matching to better support tags commit 3d63b55 Author: lucaci32u4 <lucaci32u4@gmail.com> Date: Tue May 12 04:03:17 2026 +0300 Publish to form repo
lucaci32u4
changed the title
|
This used to drive me crazy. Very needed addition. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This patch addresses two issues in the permission system:
Page tree does not resolve TAG or REGEX rules
The tree resolver passes only
pathandlocaletocheckAccess(), so TAG and REGEX page rules have no effect on sidebar navigation. Pages that should be hidden or visible based on their tags appear incorrectly in the tree.The resolver is adapted to fetch each page's tags from the
pageTagstable and includes them in the access verification. Folder nodes (no page id, no tag) are kept visible when at least one descendant page passes the full access check, so tag-gated or regex-gated subtrees remain navigable.Rule specificity resolution is string length based
String length is an adequate measure of specificity for path-related checking, but REGEX and TAG page rules should use a different ranking algorithm.
Introduced a different ranking algorithm that keeps the original priority list with adequately counting path length indicator by counting the amount of segments and separators in the path fragment.
Tags, exact rules and regexes (to some extent) are applied surgically over the wiki tree, therefore they should have maximum specificity. Start and end matchers are the least specific, so they use segment counting.
MAX_SAFE_INTEGER).MAX_SAFE_INTEGER - 1.MAX_SAFE_INTEGER - 2.segments + separators + 0.5).segments + separators). Example:Projects/test1-> 3,Docs/Internal/-> 4.Deny still takes precedence over Allow.
Files changed
server/graph/resolvers/page.js- tree resolver tag fetching and folder descendant checkserver/core/auth.js- new specificity-based rule rankingclient/components/admin/admin-groups-edit-rules.vue- Admin UI help-text changes to reflect new page rule evaluation.Testing
To test this feature, create a page inside a few folders (
Docs/Projects/Test/page1) and give it thepublictag.In admin area, go to the Guest group and give it
read:pagespage rule for thepublictag, and deny for theDocs/Projects/TestSTART path.Without the changes here, the page1 would not be accessible by Guest because the deny rule overrides the allow rule by comparing path length to tag length.
With the changes here, the page is visible by guest as specificity now does not compare unrelated metrics. The
publictag is applied surgically and is respected.We are currently using the changes in this PR in our production instance. For example, the page here is made public using tags, while a Starts with rule denies access to all other projects in
/Projects/.Release and security concerns
Very complex page rules setups will need to be reworked before updating to the new Wikijs version as this patch changes the way how permissions stackups are evaluated.
Reliance on old page rule mechamism is not recommended (comparison between path length and tag length) but can happend in odd setups.
A note should be added to the release indicating that complex permission systems need to be reviewed before updating.