I would like to get some ideas on how to proceed with this issue. A quick recap of the problem: using authorize and unauthorize methods wicket-auth-roles make it possible to grant permissions to certain roles a user may or may not have. Most of the time one would use authorize, unauthorize is only capable of removing a previously authorized role. However because of it's name people expect something like unauthorize(someAction,someRole) to deny someAction for the role someRole. As described in http://issues.apache.org/jira/browse/WICKET-1152 The code was clearly never intended to work like that, in fact when only using unauthorize a nullpointer would have been thrown. (I already committed a quick fix for this on the 1.3 branch but have not yet made any changes to trunk)
So the question is do we need to support this expected behavior and if so for which versions 1.3, 1.4? or can we close this issue with a not supported comment? Given that this is actually an example project. Note that currently there is a difference in behavior between doing : authorize(someAction,someRole); unauthorize(someAction,someRole); and doing unauthorize(someAction,someRole); In the first situation every check for that role and action is denied, in the second every check is allowed. Your thoughts please. Maurice
