Jacinto Parga
Jan 7, 2015, 7:08:13 AM1/7/15
to
Hi
But, if I try to go to: https://myapp.appspot.com/appadmin
Then the browser asks me: Sign in with your google account.
Ok, I sing wiht my google account (the owner of the application) and I can access to the whole database appadmin without loggin in as 'administrator' like in /appadmin/manage/auth
So If the browser keeps the session anyone can access to my app database from this browser. I have to remove the cookie of the session.
I think it is a lack of security.
So I would like to limit the access to https://myapp.appspot.com/appadmin in the same way that /appadmin/manage/auth
Thanks
Massimo Di Pierro
Jan 7, 2015, 9:47:20 AM1/7/15
to web...@googlegroups.com
I partially agree. Problem is you signed out of google but you did not sign out of admin. appadmin authorizes you if you are logged into admin. The fact you logout from google does not automatically sign you out from admin.
Can you reproduce the problem if you sign our from admin?
Jacinto Parga
Jan 7, 2015, 12:34:19 PM1/7/15
to web...@googlegroups.com
Well, but I log out the application. Then I clean the browser history and just put in the browser https://myapp.appspot.com/appadmin
I am required to sign with google account.
I do so, and I can access the appadmin complete fucntionality, but I had not logged in the application at all, neither as an user with admin privileges nor a simple user. And there is no way to log out as I have not logged in the application. If I log out my google account I can continue using the appadmin interface. Even if I log in with another different google account and access several minutes later to the appadmin.
If I use the https://myapp.appspot.com/appadmin/manage/auth then everything works fine because I have to log in as an user with admin privileges.
It is very useful for me to be able to access to appadmin in the application deployed in google app engine, but how can I force it to log in as an user with admin privileges?
I am required to sign with google account.
I do so, and I can access the appadmin complete fucntionality, but I had not logged in the application at all, neither as an user with admin privileges nor a simple user. And there is no way to log out as I have not logged in the application. If I log out my google account I can continue using the appadmin interface. Even if I log in with another different google account and access several minutes later to the appadmin.
If I use the https://myapp.appspot.com/appadmin/manage/auth then everything works fine because I have to log in as an user with admin privileges.
It is very useful for me to be able to access to appadmin in the application deployed in google app engine, but how can I force it to log in as an user with admin privileges?
Massimo Di Pierro
Jan 7, 2015, 2:20:25 PM1/7/15
to web...@googlegroups.com
you try go to the admin app /admin and press the [logout] button?
Jacinto Parga
Jan 7, 2015, 2:45:31 PM1/7/15
to web...@googlegroups.com
I have tried to deploy the application through a terminal with the local server admin app logged out, but it had no effect.
I'll make a complete example in a few minutes...
Jacinto Parga
Jan 7, 2015, 6:10:48 PM1/7/15
to web...@googlegroups.com
First of all thanks so much for your attention Massimo.
I have deployed an application in GAE: http://web2gae.appspot.com
It has a user with administration privileges called: super...@example.com width password: superadmin
I have created a google email that can log in the google appengine console (width view privileges): web2g...@gmail.com width password: superadmin
So the thing is, I write in a browser (width no session in gmail or gae initiated): https://web2gae.appspot.com/appadmin
and I can access to the database appadmin without logging in the application, just accessing width the google acount web2g...@gmail.com
The thing is that the session may remain in the browser even if I log out the google account. It depends on the browser settings. Widthout control of the apps permissions.
And I can't find the app /admin to logout once I am in google app engine application.
I hope the example is good...
Massimo Di Pierro
Jan 9, 2015, 12:05:52 AM1/9/15
to web...@googlegroups.com
Checking the code again. appadmin.py calls check_credentials to decide if you have access. On GAE it does (in gluon/fileutils.py/check_credentials):
from google.appengine.api import users
if users.is_current_user_admin():
return True
elif gae_login:
login_html = '<a href="%s">Sign in with your google account</a>.' \
% users.create_login_url(request.env.path_info)
raise HTTP(200, '<html><body>%s</body></html>' % login_html)
else:
return False
users is the a GAE API. So if you are not logged in you asks you to sign in. If you are signed and the user is an administrator, it returns True. Now Google manages you access, not web2py. This is Google App engine works.
Appadmin has noting to do with the session of your application. It relies exclusively on check_credentials with relies on Google login.
You as administrator have to know this and have to logout from Google in order to disable access to appadmin.
I am not understanding the issue?
samuel bonill
Jan 9, 2015, 10:46:27 AM1/9/15
to web...@googlegroups.com
You can use Admin-Plus ( https://github.com/pyner/admin_plus )
Jacinto Parga
Jan 9, 2015, 11:42:11 AM1/9/15
to web...@googlegroups.com
Yes!!
It is. The only issue is that the browser can store the google session so I have to be carefull width this, because you can logout your google account without finishing the appadmin session.
Finally thanks, Massimo.
Jacinto Parga
Jan 9, 2015, 11:49:33 AM1/9/15
to web...@googlegroups.com
Yes, it is very nice and useful.
But I was worried because I thought than anyone could access to appadmin if I forgot to clear the session in the browser when access with google account.
Thanks Samuel
Reply all
Reply to author
Forward
0 new messages