isinstatiationauthorized is also very important because sometimes you do
things in the constructor that have sideffects.
take a stupid example
class DeleteAllUsersPage() { public DeleteAllUsersPage() {
service.deleteallusers(); add(new label("lbl", "all users deleted")); }}
by the time enable or render actions are checked its too late - you want to
intercept it before it is created.
also we have a separate method rather then INSTANTIATE action because method
signatures wouldnt match.
-igor
On 2/28/07, Martin Benda <[EMAIL PROTECTED]> wrote:
> you are correct that there is an underlying assumption that a user's
roles
> cannot change within a session. to solve that problem right now, you
would
> have to manually call Session.clear(), clearing all pagemaps in the
user's
> session. why do you think that would not work? (aside from whatever's
> broken in head right now)
Yes, Session.clear() will work, but you must know when to call it... When
user's roles are changed for instance by some external administration
tool,
there must be a way to trigger Session.clear(). But I admit that this is a
rather special case...
> if you really
> want to be sure about checking access to a component, the best way is to
> check on rendering. you can already do that now. just don't let your
> component
> perform the RENDER action unless the users is authorized to do it.
When it comes to security, you should by always *really* sure :-) And if
that
means that every component secured by isInstantiationAuthorized should be
also secured by isActionAuthorized (ENABLE or RENDER) just to be sure,
isn't
isInstantiationAuthorized redundant? This was the original idea that led
me
to start this thread...
Regards,
Bendis
