There is an old design flaw in privilege schema, that multiple privileges may match the same path. It is described in README:
However of all the matching rules only the rule with the longest path pattern will be used to determine whether a user is allowed to perform a request. This is often a bit surprising.
This is implemented as:
ORDER BY length(path) - length(replace(path, '/', '')) DESC
To make it less "surprising" we can use ordered rules (the first to match wins).
E. g.
| privilege |
domain |
path |
method |
order |
basic |
wiki.example.com |
/% |
GET |
10 |
read |
wiki.example.com |
/wiki/% |
GET |
5 |
edit |
wiki.example.com |
/wiki/edit/% |
GET |
1 |
edit |
wiki.example.com |
/wiki/edit/% |
POST |
1 |
admin |
wiki.example.com |
/admin/% |
GET |
5 |
admin |
wiki.example.com |
/admin/% |
POST |
5 |
admin |
wiki.example.com |
/admin/% |
DELETE |
5 |
There is an old design flaw in privilege schema, that multiple privileges may match the same path. It is described in README:
This is implemented as:
To make it less "surprising" we can use ordered rules (the first to match wins).
E. g.
basicwiki.example.com/%GETreadwiki.example.com/wiki/%GETeditwiki.example.com/wiki/edit/%GETeditwiki.example.com/wiki/edit/%POSTadminwiki.example.com/admin/%GETadminwiki.example.com/admin/%POSTadminwiki.example.com/admin/%DELETE