[jira] [Commented] (WICKET-5454) IAuthorizationStrategy#isInstantiationAuthorized(Class componentClass) should be passed the instance, not only it's class

Thu, 19 Dec 2013 13:15:59 -0800 

    [ 
https://issues.apache.org/jira/browse/WICKET-5454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13853324#comment-13853324
 ] 

Carl-Eric Menzel commented on WICKET-5454:
------------------------------------------

I get your reasoning, but I have a bad feeling about passing around unfinished 
instances. You'd have to add this warning to IAuthorizationStrategy as well. 
And in my experience that is more often used than ICInstantiationListener, so 
it's more likely that people would fall into this trap. I think it would break 
too much backwards compatibility, but I would actually rather remove the 
instantiation listener and make a special case for authorization in the 
component constructor (directly call IAuthStrategy). Pretty much anything 
handled by the instantiation listener could just as well be handled by 
IComponent*Initialization*Listener. It's not called that much later, and it is 
safer. (of course, then you'd have to decide whether to call it before or after 
the subclass's onInitalize).

> IAuthorizationStrategy#isInstantiationAuthorized(Class<T> componentClass) 
> should be passed the instance, not only it's class
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WICKET-5454
>                 URL: https://issues.apache.org/jira/browse/WICKET-5454
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 6.12.0
>            Reporter: Tom Götz
>            Priority: Minor
>
> It would be easier to decide if instantiation is authorized if one could 
> access some properties of the component being constructed. Usecase: we 
> restrict access to certain pages with an own IAuthorizationStrategy 
> implementation, but we'd like error pages to be instantiated. Now, this is 
> not easy to decide if you are only passed the page's class. A call to 
> isErrorPage() would be more elegant in that situation.
> Is there a reason why the class, but not the instance is passed to 
> IAuthorizationStrategy#isInstantiationAuthorized (see constructor of 
> Application: 
> https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/Application.java#L261)?



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Reply via email to