Properly Securing GAE Task Queue URLs (without using app.yaml)

Tasks can bypass login: admin restrictions, however users.is_current_user_admin() will still return false, as there is technically no current user.

Using Django-nonrel shouldn't stop you from protecting your tasks with app.yaml. Just add a protected handler above your Django catch-all:

handlers:    

- url: /tasks/.+
  script: main.py
  login: admin

- url: .*
  script: main.py

Any URLs that start with /tasks/ will be accessible to the task queue and inaccessible to non-admin visitors, without changing how anything routes.

Your handlers can look for a task queue HTTP header, such as X-AppEngine-QueueName.

From official GAE docs :

Requests from the Task Queue service contain the following HTTP headers:

X-AppEngine-QueueName
X-AppEngine-TaskName
X-AppEngine-TaskRetryCount
X-AppEngine-TaskExecutionCount
X-AppEngine-TaskETA

These headers are set internally by Google App Engine. If your request handler finds any of these headers, it can trust that the request is a Task Queue request. If any of the above headers are present in an external user request to your app, they are stripped.

Properly Securing GAE Task Queue URLs (without using app.yaml)

Tags:

Django

Google App Engine

Task Queue

Django Nonrel

Djangoappengine

Related

Recent Posts