Appengine: getCurrentUser() is None but app.yaml login:admin Allows Access?

Posted by blainegarrett on May 14th, 2010 | View Comments home title

Today, while working on Google AppEngine code, I discovered a bug in AppEngine, but it just turned out to be a typo. I spent a good few hours googling before tearing things apart and solving the tricky issue. As such, I am sharing my finds to help others’ save some time and stress. Short version is to check your regular expressions in the app.yaml file when adding security to an entire folder.

Here is the skinny:
I was running into an unexpected issue with the AppEngine users service on a folder locked down by app.yaml. I had a folder /cms/ that I wanted the contents of to only be viewed by admin users to my Google AppEngine project. All pages inside of the directory displayed the email address of the user as well as a log out link. I was using users.GetCurrentUser() and users.create_logout_url to display this. The folder itself was being locked down at the app.yaml level. Aside from this, there was no other security (@require_admin decorators, etc). After testing, I discovered I was able to return to pages within /cms/ while being logged out via the users.create_logout_url link. users.GetCurrentUser() was returning None as expected, but I figured I would be redirected to a Google login page.

I figured this might be a bug with the current sdk, but I wasn’t willing to assume that until I had support. After submitting to the python mailing list with no reply, some googling, I started debugging the app.yaml. In the end I discovered it to be the url matching condition to the app.yaml file – essentially a logical “typo”. For what it is worth, I didn’t check here first because I am making changes to an existing set of code that already had the app.yaml condition in place. However, if you are in the same boat ever, hopefully this info will help.

So, if you think you have a folder locked down with app.yaml and users are still able to visit the page while logged out, check the url conditions. Examples below:

My app.yaml has

#- url: /cms # BAD VERSION - only protects a file named cms in the root, not the cms folder</del>
- url: /cms.* # GOOD VERSION - protects any url matching the regexp "starts with '/cms' followed by any number of characters (including '/') "
  script: main.py
  login: admin
  secure: always

Hopefully, that helps someone out. I know I wasted lunch break figuring it out.

On the page, I display the value of users.GetCurrentUser() and have a logout link generated by users.create_logout_url(‘/home/’).
When I click logout, I am redirected to /home/ as expected.

The odd behavior is that I can then go to /cms/ again without having to reauthenticate. The value of users.GetCurrentUser() is None (as expected).
However, I would expect the app.yaml to cause me to be redirected to the Google login screen when trying to revisit logged out.

I have not tested on production yet. Is this correct behavior and/or a known issue on dev sdk?

Guy

Hi,
thanks for sharing. I ran into a subtle version of this when trying to secure:
- url: /order/.*

instead of
- url /order.*
Scott

You rock! I was trying to figure out why one of the pages in a directory was still accessible even though I had specified “login: required” in the App YAML. Started Googling around and found your post, which saved me all kinds of time. I’m not strong at all with RegEx so the problem wasn’t immediately obvious to me like it may be for some. Thanks!!

blog comments powered by Disqus

Appengine: getCurrentUser() is None but app.yaml login:admin Allows Access?

From the Blog

About Me

Elsewhere