Properly Securing GAE Task Queue URLs (without using app.yaml)
Tasks can bypass login: admin
restrictions, however users.is_current_user_admin()
will still return false, as there is technically no current user.
Using Django-nonrel shouldn't stop you from protecting your tasks with app.yaml. Just add a protected handler above your Django catch-all:
handlers:
- url: /tasks/.+
script: main.py
login: admin
- url: .*
script: main.py
Any URLs that start with /tasks/ will be accessible to the task queue and inaccessible to non-admin visitors, without changing how anything routes.
Your handlers can look for a task queue HTTP header, such as X-AppEngine-QueueName.
From official GAE docs :
Requests from the Task Queue service contain the following HTTP headers:
X-AppEngine-QueueName
X-AppEngine-TaskName
X-AppEngine-TaskRetryCount
X-AppEngine-TaskExecutionCount
X-AppEngine-TaskETAThese headers are set internally by Google App Engine. If your request handler finds any of these headers, it can trust that the request is a Task Queue request. If any of the above headers are present in an external user request to your app, they are stripped.