On 5/29/07, Eelco Hillenius <[EMAIL PROTECTED]> wrote:
> And we have that component: the inspector bug... We moved it to
> wicket-examples because it was a security risk.
Sure. But if it would be part of the 'development dashboard' it
wouldn't be a security risk as we don't want people to run in
develpment mode in the first place, right?
The original problem iirc was that the inspector bug was a
bookmarkable page, and not secured. So any hoodlum could conjure the
inspector bug for any given Wicket based application (provided they
didn't roll their own wicket version without those pages). That is why
it was removed.
In this case, we could issue a 404 when the page is requested when the
application is in deployment mode.
It should not be a setting that can be turned off: this way people are
forced to use deployment instead of development or the default, and to
enable the development features if they need them. Something like:
<div id="wicketDevelopment"
style="z-index:10000;position:absolute;bottom:25px;right:25px;height:30px;width:200px;background:white;color:red;font-size:12px;line-height:18px;font-family:helvetica;padding-top:5px;padding-bottom:5px;text-align:center"
title="To remove this dashboard, use DEPLOYMENT mode instead">
WICKET DASHBOARD<br/>
<span style="font-size:10px">[<a href="#"
onclick="document.getElementById('wicketDevelopment').style.display='none';">hide</a>|<a
href="#">inspect</a>|<a href="#">ajax</a>]</span>
</div>
See http://www.flickr.com/photos/dashorst/520637215/ for an example.
It should contain a link to hide the message, for screenshot purposes,
as long as it keeps popping up on each page render, or hide it on a
mouse-over or something like that.
Martijn
--
Join the wicket community at irc.freenode.net: ##wicket
Wicket 1.2.6 contains a very important fix. Download Wicket now!
http://wicketframework.org
