Clarify policy scope in Policies documentation (#2848) (#2861)

pwizla · web-flow · web-flow · commit 1f46ea6766ce · 2025-11-20T19:21:41.000+01:00
* docs(backend): correct TypeScript code fences in TS tabs (controllers, services, middlewares, routes)

* docs(bundlers): clarify webpack config example rename and JS/TS filenames

* docs(routes): add guidance to prefer fully-qualified handler names in custom routers

* docs(api-tokens): add concise security tip (least privilege, rotation, secrets manager)

* docs(controllers): add caution about validateQuery/sanitizeQuery/sanitizeOutput when overriding actions

* docs(policies): clarify scoped policy folders and fix example path

* Limit PR scope based on title; keep only intended doc(s); revert unrelated files

---------

Co-authored-by: GitHub Actions &lt;noreply@github.com&gt;
diff --git a/docusaurus/docs/cms/backend-customization/policies.md b/docusaurus/docs/cms/backend-customization/policies.md
@@ -24,7 +24,7 @@ Policies are functions that execute specific logic on each request before it rea
 
 Each [route](/cms/backend-customization/routes) of a Strapi project can be associated to an array of policies. For example, a policy named `is-admin` could check that the request is sent by an admin user, and restrict access to critical routes.
 
-Policies can be global or scoped. [Global policies](#global-policies) can be associated to any route in the project. Scoped policies only apply to a specific [API](#api-policies) or [plugin](#plugin-policies).
+Policies can be global or scoped. [Global policies](#global-policies) can be associated to any route in the project. Scoped policies only apply to a specific [API](#api-policies) or [plugin](#plugin-policies) and should live under the corresponding `./src/api/<api-name>/policies/` or `./src/plugins/<plugin-name>/policies/` folder.
 
 <figure style={{width: '100%', margin: '0'}}>
   <img src="/img/assets/backend-customization/diagram-routes.png" alt="Simplified Strapi backend diagram with routes and policies highlighted" />
@@ -89,7 +89,7 @@ Policies can be configured using a `config` object:
 <Tabs groupId="js-ts">
 <TabItem value="js" label="JavaScript">
 
-```js title=".src/api/[api-name]/policies/my-policy.js"
+```js title="./src/api/[api-name]/policies/my-policy.js"
 
 module.exports = (policyContext, config, { strapi }) => {
     if (policyContext.state.user.role.code === config.role) { // if user's role is the same as the one described in configuration
