mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 06:08:33 -05:00
[GH-ISSUE #3254] Shared policy access rules are always at the bottom? #39140
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ceptonit on GitHub (Jun 12, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/3254
Describe the Bug
After applying a shared policy to a public resource, it seems its access rules are always at the bottom if you try to add a custom rule for said resource.
In other words, it's impossible to add a custom rule that goes below the shared policy rules?
I'm not sure if it's a bug or meant to work this way, but this a bit of a bummer if your shared policy rules are all "Block access" type rules, which you'd probably always want at the top and not at the bottom priority wise.
Environment
To Reproduce
Expected Behavior
Custom access rules on public resources should be able to go below shared policy rules.
@woernsn commented on GitHub (Jun 15, 2026):
I'm seeing the same.
I want to be able to add site-specific rules in between the shared rules.
Therefore I added 3 shared rules with priorities 10, 20 and 99.
Adding a specific rule via Docker label like
adds the rule regardless of the priority (or more likely: the shared rules' priorities) at the top.
Also the given priority in the shared rules are not reflected on the site configuration.
Share policy configuration:

Site configuration using the shared policy and having the mentioned "11" priority:
@oschwartz10612 commented on GitHub (Jun 16, 2026):
Right now this is expected behavior. The the rules on the resource
specifically "override" the policy rules and always go on top. We could
look into adding this as a feature (to interlace the rules).
On 6/15/26 05:28, Werner Kapferer wrote:
@woernsn commented on GitHub (Jun 17, 2026):
Thanks for answering so fast!
I don't know if this would also be requested for others but for me it's a must-have to be able to use shared policies for a few of my sites.
Would there be other side effects if the given priorities of the shared policies are simply taken as-is for the sites?
For the current behavior, one could simply set the shared policy priorities to > 20 and therefore always add site-specific rules with priorities < 20 on top.