Author: ivaynberg
Date: Wed Nov 23 06:38:40 2011
New Revision: 1205298
URL: http://svn.apache.org/viewvc?rev=1205298&view=rev
Log:
block onbeforerender() from being called if auth strategy vetoes render action
Issue: WICKET-4256
Added:
wicket/branches/wicket-1.5.x/wicket-core/src/test/java/org/apache/wicket/authorization/
wicket/branches/wicket-1.5.x/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java
Modified:
wicket/branches/wicket-1.5.x/wicket-core/src/main/java/org/apache/wicket/Component.java
Modified:
wicket/branches/wicket-1.5.x/wicket-core/src/main/java/org/apache/wicket/Component.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.5.x/wicket-core/src/main/java/org/apache/wicket/Component.java?rev=1205298&r1=1205297&r2=1205298&view=diff
==============================================================================
---
wicket/branches/wicket-1.5.x/wicket-core/src/main/java/org/apache/wicket/Component.java
(original)
+++
wicket/branches/wicket-1.5.x/wicket-core/src/main/java/org/apache/wicket/Component.java
Wed Nov 23 06:38:40 2011
@@ -971,6 +971,9 @@ public abstract class Component
{
configure();
+ // check authorization
+ setRenderAllowed();
+
if ((determineVisibility()) && !getFlag(FLAG_RENDERING) &&
!getFlag(FLAG_PREPARED_FOR_RENDER))
{
@@ -2203,11 +2206,6 @@ public abstract class Component
}
markRendering(setRenderingFlag);
-
- // check authorization
- // first the component itself
- // (after attach as otherwise list views etc wont work)
- setRenderAllowed();
}
/**
Added:
wicket/branches/wicket-1.5.x/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.5.x/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java?rev=1205298&view=auto
==============================================================================
---
wicket/branches/wicket-1.5.x/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java
(added)
+++
wicket/branches/wicket-1.5.x/wicket-core/src/test/java/org/apache/wicket/authorization/ComponentIsRenderedAllowedTest.java
Wed Nov 23 06:38:40 2011
@@ -0,0 +1,165 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.wicket.authorization;
+
+import static org.junit.Assert.assertFalse;
+
+import org.apache.wicket.Component;
+import org.apache.wicket.MarkupContainer;
+import org.apache.wicket.markup.IMarkupResourceStreamProvider;
+import org.apache.wicket.markup.html.WebMarkupContainer;
+import org.apache.wicket.markup.html.WebPage;
+import org.apache.wicket.mock.MockApplication;
+import org.apache.wicket.request.component.IRequestableComponent;
+import org.apache.wicket.util.resource.IResourceStream;
+import org.apache.wicket.util.resource.StringResourceStream;
+import org.apache.wicket.util.tester.WicketTester;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Checks whether or not authorization strategy blocks rendering of components
+ *
+ * @author igor
+ */
+public class ComponentIsRenderedAllowedTest
+{
+ private WicketTester tester;
+
+ /** */
+ @Before
+ public void setupTester()
+ {
+ tester = new WicketTester(new SecuredApplication());
+ }
+
+ /** */
+ @After
+ public void destroyTester()
+ {
+ tester.destroy();
+ tester = null;
+ }
+
+ /** */
+ @Test
+ public void onBeforeRenderNotCalledOnVetoedComponents()
+ {
+ TestPage page = new TestPage();
+ tester.startPage(page);
+ assertFalse(page.normal.onBeforeRenderCalled);
+ }
+
+ /** */
+ @Test
+ public void vetoedComponentNotRendered()
+ {
+ TestPage page = new TestPage();
+ tester.startPage(page);
+ assertFalse(page.normal.onAfterRenderCalled);
+ }
+
+ /** */
+ public class TestPage extends WebPage implements
IMarkupResourceStreamProvider
+ {
+ private final NormalContainer normal;
+
+ /** */
+ public TestPage()
+ {
+ ForbiddenContainer forbidden = new
ForbiddenContainer("forbidden");
+ normal = new NormalContainer("normal");
+ add(forbidden);
+ forbidden.add(normal);
+ }
+
+ public IResourceStream getMarkupResourceStream(MarkupContainer
container,
+ Class<?> containerClass)
+ {
+ return new StringResourceStream(
+ "<html><body><div wicket:id='forbidden'><div
wicket:id='normal'></div></div></body></html>");
+ }
+
+ }
+
+ private static class NormalContainer extends WebMarkupContainer
+ {
+
+ private boolean onBeforeRenderCalled = false;
+ private boolean onAfterRenderCalled = false;
+
+ public NormalContainer(String id)
+ {
+ super(id);
+ }
+
+ @Override
+ protected void onBeforeRender()
+ {
+ super.onBeforeRender();
+ onBeforeRenderCalled = true;
+ }
+
+ @Override
+ protected void onAfterRender()
+ {
+ super.onAfterRender();
+ onAfterRenderCalled = true;
+ }
+
+ }
+
+ private static class ForbiddenContainer extends WebMarkupContainer
implements Forbidden
+ {
+ public ForbiddenContainer(String id)
+ {
+ super(id);
+ }
+ }
+
+ private static class SecuredApplication extends MockApplication
+ {
+ @Override
+ protected void init()
+ {
+ super.init();
+ getSecuritySettings().setAuthorizationStrategy(new
Authorizer());
+ }
+ }
+
+ private static interface Forbidden
+ {
+
+ }
+
+ private static class Authorizer implements IAuthorizationStrategy
+ {
+
+ public <T extends IRequestableComponent> boolean
isInstantiationAuthorized(
+ Class<T> componentClass)
+ {
+ return true;
+ }
+
+ public boolean isActionAuthorized(Component component, Action
action)
+ {
+ return !(component instanceof Forbidden);
+ }
+ }
+
+}
