Done. https://issues.apache.org/jira/browse/WICKET-5490
Martin Grigorov Wicket Training and Consulting On Fri, Dec 20, 2013 at 8:48 PM, Igor Vaynberg <igor.vaynb...@gmail.com>wrote: > i am guessing that the id of the component would be useful for logging > in some cases, but i think it should just be passed in as an extra > argument if thats the case. something to fix in 7.0... > > -igor > > > On Fri, Dec 20, 2013 at 11:44 AM, Martin Grigorov <mgrigo...@apache.org> > wrote: > > and what about IUnauthorizedComponentInstantiationListener ? > > it receives the partially constructed object in case of rejection > > its javadoc states: The partially constructed component (only the id is > > guaranteed to be valid) > > but even Wicket sources use it (partially) wrong later: > > > org.apache.wicket.authroles.authentication.AuthenticatedWebApplication#onUnauthorizedInstantiation > > casts the instance to a Page and passes it to > > > > org.apache.wicket.authroles.authentication.AuthenticatedWebApplication#onUnauthorizedPage(Page) > > Here we use just "page.getClass()" but specialization of this class may > try > > to use the page instance for anything > > > > > > Martin Grigorov > > Wicket Training and Consulting > > > > > > On Fri, Dec 20, 2013 at 6:14 PM, Igor Vaynberg <igor.vaynb...@gmail.com > >wrote: > > > >> this is a security check, so the whole idea is that it is ran before > >> any of the user's code in the constructor which may have side-effects. > >> eg a constructor marking a record as ready to be deleted because a > >> delete panel was instantiated. the class itself should be enough. even > >> if you get an instance you cant use anything in it because its > >> partially constructed. the question is if we do pass an instance how > >> many users will bother reading javadoc? and out of those how many > >> really understand how objects are constructed? i think we should close > >> the issue as wont-fix, reading it "It would be easier to decide if > >> instantiation is authorized if one could access some properties of the > >> component being constructed." which is exactly what you cannot/must > >> not do because the object is only partially initialized, thus proving > >> my point above. > >> > >> the ComponentInstantiationListener is a very special case where we > >> make an exception. the entire point of this interface is to work with > >> a partially constructed object and most users will never implement > >> their own as opposed to the authorization strategy... > >> > >> -igor > >> > >> > >> On Fri, Dec 20, 2013 at 12:53 AM, Martin Grigorov <mgrigo...@apache.org > > > >> wrote: > >> > Hi, > >> > > >> > The reporter of https://issues.apache.org/jira/browse/WICKET-5454asked > >> to > >> > pass the Component instance > >> > to IAuthorizationStrategy#isInstantiationAuthorized() instead of just > >> its > >> > class. > >> > I have no idea why the API has been designed this way but Carl-Eric > gave > >> a > >> > good explanation - the component is not yet fully constructed. > >> > > >> > The thing that bothers me is why it is OK to use the instance in my > >> custom > >> > IComponentInstantiationListener and it is not OK to do the same in > >> > IAuthorizationStrategy#isInstantiationAuthorized() ? > >> > If there is a javadoc explaining the possible problem (as for > >> > IComponentInstantiationListener#onInstantiation()) then it is OK. > >> > > >> > Even more - at > >> > > >> > https://github.com/apache/wicket/blob/master/wicket-core/src/main/java/org/apache/wicket/Application.java#L276you > >> > can see that right ater rejecting the *Class* we pass the *instance* > >> > to > >> > the UnauthorizedComponentInstantiationListener! > >> > > >> > > >> > Martin Grigorov > >> > Wicket Training and Consulting > >> >
