app on GAE | Restricted Google account authentications | listed google accounts not all |

Question

Hi All, I am quite new to this Google app engine. I am learning things every day. I am have a forum on google app engine. But I want is to be having private or restricted parts. Some features should be locked for certain google account users, which are in some sort of access control list.

I plain words I can say, only those user who are in list of access can see the forum rest will be redirect to the "contact to admin" page.

As I am new I wanna know that is it something possible. if yes, how can I achieve it ? Thanks, Alok

Answer 1

If you are using the built-in Users API, you can check users.is_current_user_admin() as an access control mechanism. Administrators can be managed via the dashboard.

If you need more granular, application-specific authorization logic, generally you would create a User model in the datastore that references the built-in UserProperty and also holds a list of roles or whatever else you need to check authorization.

Answer 2

To follow up Drew's reply, I use a similar system in my app, so my server code has something like the following class definition (simplified here for clarity)

  class myUser(db.Model):
    user       = db.UserProperty(required=True)
    rights     = db.StringProperty(required=True, choices=set(["public", "private"]))
    created    = db.DateTimeProperty(auto_now_add=True)
    lastaccess = db.DateTimeProperty(auto_now=True)

and then I have code like this where I handle queries

    def checkUserRights(user):
        q = db.GqlQuery("SELECT * from myUser WHERE user = :1", user)
        u = q.get()
        if not u:
            # create a new 'public access' user if we haven't seen this person before
            u = myUser(user=user, rights="public")
        # always update the user record after the source is fetched (updates the lastaccess field)
        db.put( u )
        return u.rights

   rights = checkUser(users.get_current_user())
   if isPrivateArea and rights == "private":
      ....

This way I create a user for EVERY visitor, and then I have an admin interface to change the rights of selected users - you may decide, for example, to not create a record for every visitor

def checkUserRights(user):
    q = db.GqlQuery("SELECT * from myUser WHERE user = :1", user)
    u = q.get()
    if not u:
        # grant default public rights to anyone...
        return "public"
    # always update the user record after the source is fetched (updates the lastaccess field)
    db.put( u )
    return u.rights

This is, of course, on a page where the app.yaml specifies "login: required"