Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding @PageAuthorize page state. #215

Closed
wants to merge 10 commits into from
Closed

Adding @PageAuthorize page state. #215

wants to merge 10 commits into from

Conversation

BenDol
Copy link
Contributor

@BenDol BenDol commented Dec 22, 2016

This gives an opportunity for "gatekeeping" pages asynchronously.

@PageAuthorize
void onAuthorize(NavigationControl control) {
    myService.call(hasAccess -> {
        if(hasAccess) {
            // We have access, proceed with navigation.
            control.proceed();
        } else {
            // Interrupt navigation and redirect.
            control.interrupt();
            redirectPageTo.go();
        }
    }).hasAccess(modelId, userId);
}

@BenDol
Adding @PageAuthorize page state.
20d1372 
This gives an opportunity for "gatekeeping" pages asynchronously.

@PageAuthorize
void onAuthorize(NavigationControl control) {
    myService.call(hasAccess -> {
        if(hasAccess) {
            // We have access, proceed with navigation.
            control.proceed();
        } else {
            // Interrupt navigation and redirect.
            control.interrupt();
            redirectPageTo.go();
        }
    }).hasAccess(modelId, userId);
}
@kie-ci
Copy link

kie-ci commented Dec 22, 2016

Can one of the admins verify this PR? Comment with 'ok to test' to start the build.

@mbarkley
Copy link
Contributor

Hi @BenDol,

I had been meaning to respond to your forum post, but clearly you were too quick for me ;)

First let me say that I like this feature. Your changes are easy to understand, and thank you for adding javadoc and a license header to the new file you created!

That being said, there are some things I think we should change before merging this. Here are some of my concerns:

  1. Calling NavigationControl.interrupt() appears to leave navigation in a state were we are not on any page. Perhaps interrupt could take a class for a @Page or UniquePageRole to navigate to instead? Maybe calling interrupt without an argument navigates back to the previous page? One way or another, we should end up on some page after navigation has been interrupted.

  2. It seems like we could integrate this behaviour into @PageShowing. In the same way that @PageHiding can optionally have a NavigationControl parameter, we could make the same enhancement to @PageShowing. This is preferable because it keeps the API symmetric and removes the need for an additional lifecycle method.

  3. As far as I can tell, the NavigationControl.interrupt method will cause an NPE if invoked from a @PageHiding method. If someone calls interrupt from a @PageHiding method without an argument, it would make sense for nothing to happen. Certainly if we are exposing this API, it shouldn't blow up.

  4. There are no tests or docs for this feature. We'll need to add at least 3 tests to NavigationTest: one where interrupt is called, one where proceed is called, and one where interrupt is called from a @PageHiding method to verify that this doesn't cause errors. The project documentation can be found here, where you would need to update the "Page Lifecycle" section.

Cheers.

@BenDol
Copy link
Contributor Author

BenDol commented Dec 24, 2016
edited

Hi @mbarkley, thanks for the response. I will address the points made here:

  1. That is probably a good idea to give interrupt some form of default behavior, but the idea is that interrupt is called when you take control of the navigation process, perhaps interrupt requires a Page transition class to be passed in as a parameter? That way they will always need to go to a specific page upon interrupting.

  2. The reason I kept this functionality separate is because in my own project I have a lot of other functionality in @PageShowing. However perhaps doing it as you have suggested is a better approach.

  3. Won't blow up, I think https://github.com/errai/errai/pull/215/files#diff-7a86ee145a10ddfa8fe57b68cdfd86c4R62

  4. I will look into writing these tests once we have agree'd on the best approach.

Cheers.

@BenDol
Copy link
Contributor Author

BenDol commented Jan 8, 2017

@mbarkley Thoughts?

@mbarkley
Copy link
Contributor

mbarkley commented Jan 9, 2017

Hi @BenDol,

Let me respond to your previous comment point by point.

  1. Taking a page as a parameter for this method that you redirect to would be great. In fact, at that point I think it makes sense to rename interrupt to redirect. Then usage would look like this: control.redirect(HomePage.class).

  2. I understand why you made this a separate life-cycle method, but I think the best choice for the framework is to add this to the @PageShowing so that we don't increase the size of the navigation life-cycle API and maintain symmetry between showing and hiding pages.

  3. Yeah, looks like I was wrong about that one :) Of course, if we change interrupt to be redirect(Page.class) we'll have to make sure that calling redirecting also works from @PageHiding methods, but that should be easy enough.

If you agree with my suggestions, then I can review the PR again once you've had time to update it.

mbarkley and others added 9 commits January 11, 2017 22:14
@mbarkley @BenDol
New fix for distributed session use case (reverts change to QueueSess…
0bcccf3 
…ion id).

Revert change to HttpSessionWrapper. Don't store SessionContainer in
session anymore. Keep map of SessionContainers instead.
@mbarkley @BenDol
ERRAI-979: Provide functionality for CSRF protection
384dcfa 
CSRF protection on message bus servlets is enabled by property.
Enabling the property creates a CSRF token on the first POST
request to the server bus.

The token can be written to an HTML page as a JavaScript variable
with a filter, or else the client can acquire it from a challenge
from the server (a 403 response containing the token as a header).

There is also a filter that protects REST endpoints using the same token.
When an Errai REST caller finds the token in a global JavaScript variable,
it will set this as a header for all REST requests.

Errai REST callers will also retry after a challenge from the server
(403 + token in header).
@mbarkley @BenDol
Add regression test for ERRAI-914.
7dd53ac
@mbarkley @BenDol
Regression test for ERRAI-757.
dda3eea
@mbarkley @BenDol
Document server-side logging of RPC endpoint exceptions.
839e3f0
@mbarkley @BenDol
Support destruction of @ApplicationScoped beans.
3128a29 
Previously a @PreDestroy would be called but
@ApplicationScoped instance would remain in service.
@mbarkley @BenDol
Remove 'destroyAllBeans' method from bean manager API.
db99e52
@manstis @BenDol
ERRAI-1016: Duplicate method getContext() in generated Proxy error
9a8af2d
@BenDol
Update for PR suggestions
864ef0c
@BenDol BenDol mentioned this pull request Jan 11, 2017
Closed
@BenDol
Copy link
Contributor Author

BenDol commented Jan 11, 2017

Continued here #224

@BenDol BenDol closed this Jan 11, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@BenDol @kie-ci @mbarkley @manstis