diff --git a/lib/vcauth/forbiddenre/__init__.py b/lib/vcauth/forbiddenre/__init__.py
index e6d0022e..7de7b3ea 100644
--- a/lib/vcauth/forbiddenre/__init__.py
+++ b/lib/vcauth/forbiddenre/__init__.py
@@ -32,24 +32,27 @@ class ViewVCAuthorizer(vcauth.GenericViewVCAuthorizer):
     self.forbidden = map(lambda x: _split_regexp(string.strip(x)),
                          filter(None, string.split(forbidden, ',')))
                          
-  def _check_root_path_access(self, rootname, path_parts):
-    path = rootname
-    if path_parts:
-      path = path + '/' + string.join(path_parts, '/')
-
+  def _check_root_path_access(self, root_path):
     default = 1
     for forbidden, negated in self.forbidden:
       if negated:
         default = 0
-        if forbidden.search(path):
+        if forbidden.search(root_path):
           return 1
-      elif forbidden.search(path):
+      elif forbidden.search(root_path):
         return 0
     return default
       
   def check_root_access(self, rootname):
-    return self._check_root_path_access(rootname, None)
+    return self._check_root_path_access(rootname)
   
   def check_path_access(self, rootname, path_parts, pathtype, rev=None):
-    return self._check_root_path_access(rootname, path_parts)
+    root_path = rootname
+    if path_parts:
+      root_path = root_path + '/' + string.join(path_parts, '/')
+      if pathtype == vclib.DIR:
+        root_path = root_path + '/'
+    else:
+      root_path = root_path + '/'
+    return self._check_root_path_access(root_path)
     
diff --git a/viewvc.conf.dist b/viewvc.conf.dist
index eaa1c9a9..bf911453 100644
--- a/viewvc.conf.dist
+++ b/viewvc.conf.dist
@@ -748,7 +748,8 @@ forbidden =
 # path "/trunk/www/index.html" in the repository whose root name is
 # "svnrepos", this authorizer will check the path
 # "svnrepos/trunk/www/index.html" against the list of forbidden
-# regular expressions.
+# regular expressions.  Directory paths will be terminated by a forward
+# slash.
 #
 # Like the "forbidden" authorizer...
 #
@@ -766,11 +767,17 @@ forbidden =
 #    Disallow files named "PRIVATE", but allow all others:
 #       forbidden = /PRIVATE$
 #
+#    Disallow the "hidden" repository, allowing all others:
+#       forbidden = ^hidden(/|$)
+#
 #    Allow only the "example1" and "example2" roots and the paths inside them,
 #    disallowing all others (which can be done in multiple ways):
 #       forbidden = !^example1(/|$), !^example2(/|$)/
 #       forbidden = !^example[12](/|$)
 #
+#    Only allow visibility of HTML files and the directories that hold them:
+#       forbidden = !^([^/]+|.*(/|\.html))$
+#
 forbidden = 
 
 #---------------------------------------------------------------------------