Blaine Garrett Logo
AboutBlogArtProgramming

Appengine: getCurrentUser() is None but app.yaml login:admin Allows Access?

May 14th, 2010  by Blaine Garrett

saupload_google_appengineToday, while working on Google AppEngine code, I discovered a bug in AppEngine, but it just turned out to be a typo. I spent a good few hours googling before tearing things apart and solving the tricky issue. As such, I am sharing my finds to help others' save some time and stress. Short version is to check your regular expressions in the app.yaml file when adding security to an entire folder. Here is the skinny: I was running into an unexpected issue with the AppEngine users service on a folder locked down by app.yaml. I had a folder /cms/ that I wanted the contents of to only be viewed by admin users to my Google AppEngine project. All pages inside of the directory displayed the email address of the user as well as a log out link. I was using users.GetCurrentUser() and users.create_logout_url to display this. The folder itself was being locked down at the app.yaml level. Aside from this, there was no other security (@require_admin decorators, etc). After testing, I discovered I was able to return to pages within /cms/ while being logged out via the users.create_logout_url link. users.GetCurrentUser() was returning None as expected, but I figured I would be redirected to a Google login page. I figured this might be a bug with the current sdk, but I wasn't willing to assume that until I had support. After submitting to the python mailing list with no reply, some googling, I started debugging the app.yaml. In the end I discovered it to be the url matching condition to the app.yaml file - essentially a logical "typo". For what it is worth, I didn't check here first because I am making changes to an existing set of code that already had the app.yaml condition in place. However, if you are in the same boat ever, hopefully this info will help. So, if you think you have a folder locked down with app.yaml and users are still able to visit the page while logged out, check the url conditions. Examples below: My app.yaml has [source lang="python"] #- url: /cms # BAD VERSION - only protects a file named cms in the root, not the cms folder - url: /cms.* # GOOD VERSION - protects any url matching the regexp "starts with '/cms' followed by any number of characters (including '/') " script: main.py login: admin secure: always [/source] Hopefully, that helps someone out. I know I wasted lunch break figuring it out. On the page, I display the value of users.GetCurrentUser() and have a logout link generated by users.create_logout_url('/home/'). When I click logout, I am redirected to /home/ as expected. The odd behavior is that I can then go to /cms/ again without having to reauthenticate. The value of users.GetCurrentUser() is None (as expected). However, I would expect the app.yaml to cause me to be redirected to the Google login screen when trying to revisit logged out. I have not tested on production yet. Is this correct behavior and/or a known issue on dev sdk?

👍