and what about IUnauthorizedComponentInstantiationListener ? it receives the partially constructed object in case of rejection its javadoc states: The partially constructed component (only the id is guaranteed to be valid) but even Wicket sources use it (partially) wrong later: org.apache.wicket.authroles.authentication.AuthenticatedWebApplication#onUnauthorizedInstantiation casts the instance to a Page and passes it to org.apache.wicket.authroles.authentication.AuthenticatedWebApplication#onUnauthorizedPage(Page) Here we use just "page.getClass()" but specialization of this class may try to use the page instance for anything
Martin Grigorov Wicket Training and Consulting On Fri, Dec 20, 2013 at 6:14 PM, Igor Vaynberg <igor.vaynb...@gmail.com>wrote: > this is a security check, so the whole idea is that it is ran before > any of the user's code in the constructor which may have side-effects. > eg a constructor marking a record as ready to be deleted because a > delete panel was instantiated. the class itself should be enough. even > if you get an instance you cant use anything in it because its > partially constructed. the question is if we do pass an instance how > many users will bother reading javadoc? and out of those how many > really understand how objects are constructed? i think we should close > the issue as wont-fix, reading it "It would be easier to decide if > instantiation is authorized if one could access some properties of the > component being constructed." which is exactly what you cannot/must > not do because the object is only partially initialized, thus proving > my point above. > > the ComponentInstantiationListener is a very special case where we > make an exception. the entire point of this interface is to work with > a partially constructed object and most users will never implement > their own as opposed to the authorization strategy... > > -igor > > > On Fri, Dec 20, 2013 at 12:53 AM, Martin Grigorov <mgrigo...@apache.org> > wrote: > > Hi, > > > > The reporter of https://issues.apache.org/jira/browse/WICKET-5454 asked > to > > pass the Component instance > > to IAuthorizationStrategy#isInstantiationAuthorized() instead of just > its > > class. > > I have no idea why the API has been designed this way but Carl-Eric gave > a > > good explanation - the component is not yet fully constructed. > > > > The thing that bothers me is why it is OK to use the instance in my > custom > > IComponentInstantiationListener and it is not OK to do the same in > > IAuthorizationStrategy#isInstantiationAuthorized() ? > > If there is a javadoc explaining the possible problem (as for > > IComponentInstantiationListener#onInstantiation()) then it is OK. > > > > Even more - at > > > https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/Application.java#L276you > > can see that right ater rejecting the *Class* we pass the *instance* > > to > > the UnauthorizedComponentInstantiationListener! > > > > > > Martin Grigorov > > Wicket Training and Consulting >
