Page rules not working as intended

[AgarwalSaurav]

Describe the bug
Adding a deny rule denies user from all content and results in a login loop.
Scenario: There is a CoreResearch page along with sub-pages. Want a new group to have read access to all the content. However, the new group can write only pages that start with CoreResearch.

Three rules are created:
Rule1-Allow permissions for pages that start with /

1. Read page
2. Read/Use assets
3. Read comments
4. Write comments

Rule2-Permissions for pages that start with /CoreResearch
Allow all

Rule3-Permissions for pages that start with /
Deny all write permissions (compliment of rule1 permissions)

To Reproduce
Steps to reproduce the behavior:

1. Create a new user (let's call it su1)
2. Create a new group (let's call it Core)
3. Create a page called /CoreResearch
4. Give all "CONTENT" permission to group Core from Edit Group
5. Apply 3 rules described above to the group Core (see screenshot)
6. Login with the new user su1 and it would get into a login loop, probably because the new user does not have permission for anything

Expected behavior
User su1 is able to read all content and edit pages under /CoreResearch

Screenshots

Host Info (please complete the following information):

• OS: Ubuntu 18.04, Linux Install
• Wiki.js version: 2.0.0-beta.275
• Database engine: postgres 10.9

Additional context
It might be so that I am not defining the rules correctly. For the guest group, I gave a deny that /CoreResearch should not have any of the permissions. This works perfectly.

[AgarwalSaurav]

On further investigation, denying any rule to a new group causes login loop. Perhaps because it denies all permissions. Also, I think adding an allow rule allows everything. Also, I think even if global permissions are set they are not applied until page rules are specified. This is all for new group.

[owkwen]

I have this same problem, using version 2.0.0 RC1
I tried to change what Guest group has but it made no difference.
As soon as you add a deny on write for paths starting with / (root), you get Unauthorized for all paths, even for read, which doesn't make sense.

This also contradicts the documentation ( In my situation the first rule is using Path is exactly ):

Rules are applied in order of path specificity. A more precise path will always override a less defined path.
For example, /geography/countries will override /geography.

Assuming this also means /geography will override /

[oussamajilal]

Any update on this? having the same issue on Wiki.js version: 2.0.1

Edit: Still the same issue in version 2.0.12

[AlexandreDeCarli]

Page rules does not working for me too.

The assets are not shown although configured to read assets.

The Group configuration:

The page for administrators:

The page for this group:

[NGPixel]

Fixed by 7d23344