Friday, January 29, 2010

App Engine: Google fails users.is_current_user_admin() test

The way Google App Engine executes cron jobs indicates that not all admin authentication is created equally. If you secure your cron or task queue URL in the app.yaml file, as Google suggests, your Google-automated tasks will be properly secured in such a way only an administrator can access the URL:


- url: /admin/my-cron-url
  script: main.py
  login: admin


However, if you would like to secure one of these Google-executed URLs yourself, you seem to be out of luck.
Yes, you could check the easily spoofed request user-agent, but on first glance the most useful method would be the users.is_current_user_admin() API method. However, this fails for Google cron and taskqueue page requests.

This is inconvenient for me; I do use Google user accounts for my applications (such as My Web Brain) but I like handling security within the confines of an event handler, where I can control the exception raised, HTTP status code, logging and actual response sent to the user.

Hopefully this inconsistency will be resolved in a future App Engine release, but my feeling is that Google jury-rigged the exception for their own services into their own interpretation of app.yaml, and that the inbuilt users API would not know Google's own requests from anyone else's.

1 comment:

  1. ky thuat trong va cham soc cay su su
    mua sach online
    sach trong trot
    Cuốn sách "Kỹ thuật trồng và chăm sóc cây su su" là những kỹ thuật trồng và chăm sóc su su. Nó bao gồm hướng dẫn chi tiết, cụ thể về cách chọn giống, làm đất, gieo trồng, bón phân, tưới nước, phòng trừ sâu bệnh, từ đó giúp bà con nông dân canh tác hợp lý, thành phẩm đạt chất lượng tốt, năng suất cao.

    ReplyDelete