Re: Passing Component or Class to IAuthorizationStrategy#isInstantiationAuthorized()

[Martin Grigorov <mg...@apache.org>]

Done.
https://issues.apache.org/jira/browse/WICKET-5490

Martin Grigorov
Wicket Training and Consulting


On Fri, Dec 20, 2013 at 8:48 PM, Igor Vaynberg <ig...@gmail.com>wrote:

> i am guessing that the id of the component would be useful for logging
> in some cases, but i think it should just be passed in as an extra
> argument if thats the case. something to fix in 7.0...
>
> -igor
>
>
> On Fri, Dec 20, 2013 at 11:44 AM, Martin Grigorov <mg...@apache.org>
> wrote:
> > and what about IUnauthorizedComponentInstantiationListener ?
> > it receives the partially constructed object in case of rejection
> > its javadoc states: The partially constructed component (only the id is
> > guaranteed to be valid)
> > but even Wicket sources use it (partially) wrong later:
> >
> org.apache.wicket.authroles.authentication.AuthenticatedWebApplication#onUnauthorizedInstantiation
> > casts the instance to a Page and passes it to
> >
>  org.apache.wicket.authroles.authentication.AuthenticatedWebApplication#onUnauthorizedPage(Page)
> > Here we use just "page.getClass()" but specialization of this class may
> try
> > to use the page instance for anything
> >
> >
> > Martin Grigorov
> > Wicket Training and Consulting
> >
> >
> > On Fri, Dec 20, 2013 at 6:14 PM, Igor Vaynberg <igor.vaynberg@gmail.com
> >wrote:
> >
> >> this is a security check, so the whole idea is that it is ran before
> >> any of the user's code in the constructor which may have side-effects.
> >> eg a constructor marking a record as ready to be deleted because a
> >> delete panel was instantiated. the class itself should be enough. even
> >> if you get an instance you cant use anything in it because its
> >> partially constructed. the question is if we do pass an instance how
> >> many users will bother reading javadoc? and out of those how many
> >> really understand how objects are constructed? i think we should close
> >> the issue as wont-fix, reading it "It would be easier to decide if
> >> instantiation is authorized if one could access some properties of the
> >> component being constructed." which is exactly what you cannot/must
> >> not do because the object is only partially initialized, thus proving
> >> my point above.
> >>
> >> the ComponentInstantiationListener is a very special case where we
> >> make an exception. the entire point of this interface is to work with
> >> a partially constructed object and most users will never implement
> >> their own as opposed to the authorization strategy...
> >>
> >> -igor
> >>
> >>
> >> On Fri, Dec 20, 2013 at 12:53 AM, Martin Grigorov <mgrigorov@apache.org
> >
> >> wrote:
> >> > Hi,
> >> >
> >> > The reporter of https://issues.apache.org/jira/browse/WICKET-5454asked
> >> to
> >> > pass the Component instance
> >> > to  IAuthorizationStrategy#isInstantiationAuthorized() instead of just
> >> its
> >> > class.
> >> > I have no idea why the API has been designed this way but Carl-Eric
> gave
> >> a
> >> > good explanation - the component is not yet fully constructed.
> >> >
> >> > The thing that bothers me is why it is OK to use the instance in my
> >> custom
> >> > IComponentInstantiationListener and it is not OK to do the same in
> >> > IAuthorizationStrategy#isInstantiationAuthorized() ?
> >> > If there is a javadoc explaining the possible problem (as for
> >> > IComponentInstantiationListener#onInstantiation()) then it is OK.
> >> >
> >> > Even more - at
> >> >
> >>
> https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/Application.java#L276you
> >> > can see that right ater rejecting the *Class* we pass the *instance*
> >> > to
> >> > the UnauthorizedComponentInstantiationListener!
> >> >
> >> >
> >> > Martin Grigorov
> >> > Wicket Training and Consulting
> >>
>