Wicket-auth-roles issue 1152

[Maurice Marrink <ma...@gmail.com>]

I would like to get some ideas on how to proceed with this issue.

A quick recap of the problem: using authorize and unauthorize methods
wicket-auth-roles make it possible to grant permissions to certain
roles a user may or may not have.
Most of the time one would use authorize, unauthorize is only capable
of removing a previously authorized role. However because of it's name
people expect something like unauthorize(someAction,someRole) to deny
someAction for the role someRole. As described in
http://issues.apache.org/jira/browse/WICKET-1152 The code was clearly
never intended to work like that, in fact when only using unauthorize
a nullpointer would have been thrown. (I already committed a quick fix
for this on the 1.3 branch but have not yet made any changes to trunk)

So the question is do we need to support this expected behavior and if
so for which versions 1.3, 1.4? or can we close this issue with a not
supported comment? Given that this is actually an example project.

Note that currently there is a difference in behavior between doing :
authorize(someAction,someRole);
unauthorize(someAction,someRole);
and doing
unauthorize(someAction,someRole);

In the first situation every check for that role and action is denied,
in the second every check is allowed.

Your thoughts please.

Maurice

Re: Wicket-auth-roles issue 1152

[Maurice Marrink <ma...@gmail.com>]

>  In the first situation every check for that role and action is denied,
>  in the second every check is allowed.

Actually that should read: in the first situation all roles for that
action are denied, in the second all roles for that action are
allowed.
Now this is easily corrected so both operations work the same but
still not as one might expect, namely that only the role used in the
unauthorize is denied.

Maurice