From 647f8c5f02f190851ce755180d9e36080fdf7d06 Mon Sep 17 00:00:00 2001 From: Matheus Araujo Date: Wed, 11 Mar 2026 10:24:30 -0300 Subject: [PATCH] docs: update path rules section to clarify query parameter handling --- manage/access-control/rules.mdx | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/manage/access-control/rules.mdx b/manage/access-control/rules.mdx index 61747e1..5e5f9b4 100644 --- a/manage/access-control/rules.mdx +++ b/manage/access-control/rules.mdx @@ -35,6 +35,12 @@ Right now you can match on the following items: Path match rules allow URL patterns defined with plain text and wildcards (`*`) that match any characters. Patterns and URLs are split into segments (using `/`), and **each segment is matched individually**. + +Pangolin matches on the **exact path** and does not account for query parameters. If a path may include query parameters, append a wildcard `*` to the pattern. + +For example, allowing `blog/posts` will **not** match `blog/posts?token=123`. Use `blog/posts?token=*` instead. + + #### Examples: - `blog/posts` @@ -55,6 +61,9 @@ Path match rules allow URL patterns defined with plain text and wildcards (`*`) - `personal-*/*` Matches paths where the first segment starts with `personal-` and is followed by any segment (e.g., `/personal-blog/post`). + - `blog/posts?token=*` + Matches `blog/posts` with any token query parameter (e.g., `/blog/posts?token=abc123`). + #### Segment-by-Segment Matching - **Normalization:** @@ -98,4 +107,4 @@ Pretty simple: you can match on simply an IP address like your home IP to bypass ### Community Contributed Rules -Some common bypass paths for common self hosted apps can be found [in the community contributed rules](/self-host/community-guides/rules). \ No newline at end of file +Some common bypass paths for common self hosted apps can be found [in the community contributed rules](/self-host/community-guides/rules).