Igor,
Your suggestion seems to be based on "security through obscurity", ie
hiding the Edit link rather than securing the Edit page? Thus, if an
unauthorized user knows or discovers the URL of the edit page (eg from
browser history), what stops them from editing another user's listing?
-Ben
Igor Vaynberg wrote:
class EditListingLink extends Link<Listing> {
protected void isEnabled() {
Listing listing=getModelObject();
return MySession.get().getUser().equals(listing.getAuthor());
}
}
-igor
On Tue, May 26, 2009 at 6:12 PM, Ben Hutchison <b...@ibsglobalweb.com> wrote:
Marco Santos wrote:
On the book "Wicket in Action" there is a chapter (12) that cover the
Authentication and the Authorization. It will be very useful to you, and
is
very easy to understand and implement.
Well no.. actually.
As I made clear in my question, I need to do _context-sensitive_
authorization.
The example (chapter 11, by the way), is a classic non-contextual
authorization example - there are User and Admin roles that are unaffected
by context.
-Ben
--
*Ben Hutchison
Senior Developer
* Level 2 476 St Kilda Road Melbourne VIC 3004
T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 | www.ibsglobalweb.com
<http://www.ibsglobalweb.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
--
*Ben Hutchison
Senior Developer
* Level 2 476 St Kilda Road Melbourne VIC 3004
T 613 8807 5252 | F 613 8807 5203 | M 0423 879 534 |
www.ibsglobalweb.com <http://www.ibsglobalweb.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
