Hi Nick On 7/24/06, Nick Westgate <[EMAIL PROTECTED]> wrote:
Although what you say makes sense in your case, validate/pageValidate/PageValidateListener were originally intended to validate that "the user is allowed to visit the page". http://tapestry.apache.org/tapestry4/tapestry/apidocs/org/apache/tapestry/IPage.html#validate(org.apache.tapestry.IRequestCycle) Traditionally confusing Tapestry naming, I know ;-) but I use it in this way, and also to throw redirects to https etc. If the order is changed then it will be a breaking change for me, and I suspect for others too, but more importantly we would need to keep in mind that activity in activateExternalPage would not be safe-guarded by pageValidate from malicious use.
That makes sense too but in this scenario, if you check before the activateExternalPage is called and lets imagine the user is not allowed, you throw a PageRedirectException => the parameters passed to activateExternalPage become lost. So I really do have a problem with the logic of this method... I can imagine that there is a security risk if you do actions in the activateExternalPage... Is that what you are doing? I usually only load page properties from the parameters so my code there is harmless and in the worst case it just throws an exception.
Security code intended for all pages should be executed before activateExternalPage. It could be placed in pageAttached, but initialization code you are putting in pageValidate has traditionally been put in pageBeginRender as suggested here: http://tapestry.apache.org/tapestry4/tapestry/apidocs/org/apache/tapestry/IPage.html#attach(org.apache.tapestry.IEngine,%20org.apache.tapestry.IRequestCycle) Is the stuff you put in pageValidate per-page? Why not pageBeginRender?
Isn't pageBeginRender called twice with a form? One before rewinding and once on the rendering? My code in there is really per page... stuff like set the default selection. I think this is the main reason why I moved all my code to pageValidate... I got lots of tortured code that with the rewiding checks in my forms so I moved away from this method.
A bit of discussion might be nice before shuffling page events around. ;-)
At least with frequent releases this can be solved fast ;-) Cheers, Henri.
