Properly Securing GAE Task Queue URLs (without using app.yaml)

Tasks can bypass login: admin restrictions, however users.is_current_user_admin() will still return false, as there is technically no current user.

Using Django-nonrel shouldn't stop you from protecting your tasks with app.yaml. Just add a protected handler above your Django catch-all:

handlers:    

- url: /tasks/.+
  script: main.py
  login: admin

- url: .*
  script: main.py

Any URLs that start with /tasks/ will be accessible to the task queue and inaccessible to non-admin visitors, without changing how anything routes.


Your handlers can look for a task queue HTTP header, such as X-AppEngine-QueueName.

From official GAE docs :

Requests from the Task Queue service contain the following HTTP headers:

X-AppEngine-QueueName
X-AppEngine-TaskName
X-AppEngine-TaskRetryCount
X-AppEngine-TaskExecutionCount
X-AppEngine-TaskETA

These headers are set internally by Google App Engine. If your request handler finds any of these headers, it can trust that the request is a Task Queue request. If any of the above headers are present in an external user request to your app, they are stripped.