From 43e9bcd94895e9431d2bfab109cf0884d7feb403 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 26 Mar 2018 11:30:58 -0400
Subject: [PATCH] Add more docs around list paths in policies.

CC #4199
---
 vault/token_store.go                          |  2 +-
 website/source/docs/concepts/policies.html.md | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/vault/token_store.go b/vault/token_store.go
index 69a6b288b3..66ea8bea16 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -159,7 +159,7 @@ func NewTokenStore(ctx context.Context, c *Core, config *logical.BackendConfig)
 			},
 
 			&framework.Path{
-				Pattern: "accessors/?$",
+				Pattern: "accessors/$",
 
 				Callbacks: map[logical.Operation]framework.OperationFunc{
 					logical.ListOperation: t.tokenStoreAccessorList,
diff --git a/website/source/docs/concepts/policies.html.md b/website/source/docs/concepts/policies.html.md
index 182af4a040..fb7097a0f9 100644
--- a/website/source/docs/concepts/policies.html.md
+++ b/website/source/docs/concepts/policies.html.md
@@ -161,6 +161,20 @@ policy for `"secret/foo*"`, the policy would also match `"secret/foobar"`.
 !> The glob character is only supported as the **last character of the path**,
 and **is not a regular expression**!
 
+When providing `list` capability, it is important to note that since listing
+always operates on a prefix, policies must operate on a prefix because Vault
+will sanitize request paths to be prefixes:
+
+```ruby
+path "secret/foo" {
+  capabilities = ["read"]
+}
+
+path "secret/foo/" {
+  capabilities = ["list"]
+}
+```
+
 ### Capabilities
 
 Each path must define one or more capabilities which provide fine-grained