i am guessing that the id of the component would be useful for logging in some cases, but i think it should just be passed in as an extra argument if thats the case. something to fix in 7.0...
-igor On Fri, Dec 20, 2013 at 11:44 AM, Martin Grigorov <mgrigo...@apache.org> wrote: > and what about IUnauthorizedComponentInstantiationListener ? > it receives the partially constructed object in case of rejection > its javadoc states: The partially constructed component (only the id is > guaranteed to be valid) > but even Wicket sources use it (partially) wrong later: > org.apache.wicket.authroles.authentication.AuthenticatedWebApplication#onUnauthorizedInstantiation > casts the instance to a Page and passes it to > > org.apache.wicket.authroles.authentication.AuthenticatedWebApplication#onUnauthorizedPage(Page) > Here we use just "page.getClass()" but specialization of this class may try > to use the page instance for anything > > > Martin Grigorov > Wicket Training and Consulting > > > On Fri, Dec 20, 2013 at 6:14 PM, Igor Vaynberg <igor.vaynb...@gmail.com>wrote: > >> this is a security check, so the whole idea is that it is ran before >> any of the user's code in the constructor which may have side-effects. >> eg a constructor marking a record as ready to be deleted because a >> delete panel was instantiated. the class itself should be enough. even >> if you get an instance you cant use anything in it because its >> partially constructed. the question is if we do pass an instance how >> many users will bother reading javadoc? and out of those how many >> really understand how objects are constructed? i think we should close >> the issue as wont-fix, reading it "It would be easier to decide if >> instantiation is authorized if one could access some properties of the >> component being constructed." which is exactly what you cannot/must >> not do because the object is only partially initialized, thus proving >> my point above. >> >> the ComponentInstantiationListener is a very special case where we >> make an exception. the entire point of this interface is to work with >> a partially constructed object and most users will never implement >> their own as opposed to the authorization strategy... >> >> -igor >> >> >> On Fri, Dec 20, 2013 at 12:53 AM, Martin Grigorov <mgrigo...@apache.org> >> wrote: >> > Hi, >> > >> > The reporter of https://issues.apache.org/jira/browse/WICKET-5454 asked >> to >> > pass the Component instance >> > to IAuthorizationStrategy#isInstantiationAuthorized() instead of just >> its >> > class. >> > I have no idea why the API has been designed this way but Carl-Eric gave >> a >> > good explanation - the component is not yet fully constructed. >> > >> > The thing that bothers me is why it is OK to use the instance in my >> custom >> > IComponentInstantiationListener and it is not OK to do the same in >> > IAuthorizationStrategy#isInstantiationAuthorized() ? >> > If there is a javadoc explaining the possible problem (as for >> > IComponentInstantiationListener#onInstantiation()) then it is OK. >> > >> > Even more - at >> > >> https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/Application.java#L276you >> > can see that right ater rejecting the *Class* we pass the *instance* >> > to >> > the UnauthorizedComponentInstantiationListener! >> > >> > >> > Martin Grigorov >> > Wicket Training and Consulting >>
