Checking the code again. appadmin.py calls check_credentials to decide if
you have access. On GAE it does (in gluon/fileutils.py/check_credentials):
from google.appengine.api import users
if users.is_current_user_admin():
return True
elif gae_login:
login_html = '<a href="%s">Sign in with your google
account</a>.' \
% users.create_login_url(request.env.path_info)
raise HTTP(200, '<html><body>%s</body></html>' % login_html)
else:
return False
users is the a GAE API. So if you are not logged in you asks you to sign
in. If you are signed and the user is an administrator, it returns True.
Now Google manages you access, not web2py. This is Google App engine works.
Appadmin has noting to do with the session of your application. It relies
exclusively on check_credentials with relies on Google login.
You as administrator have to know this and have to logout from Google in
order to disable access to appadmin.
I am not understanding the issue?
On Wednesday, 7 January 2015 17:10:48 UTC-6, Jacinto Parga wrote:
>
> First of all thanks so much for your attention Massimo.
>
> So I have done a complete example of what I mean.
>
> I have deployed an application in GAE: http://web2gae.appspot.com
>
> It has a user with administration privileges called:
> superad...@example.com width password: superadmin
>
> I have created a google email that can log in the google appengine console
> (width view privileges): web2gae2...@gmail.com width password:
> superadmin
>
> So the thing is, I write in a browser (width no session in gmail or gae
> initiated): https://web2gae.appspot.com/appadmin
>
> and I can access to the database appadmin without logging in the
> application, just accessing width the google acount web2gae2...@gmail.com
>
> The thing is that the session may remain in the browser even if I log out
> the google account. It depends on the browser settings. Widthout control of
> the apps permissions.
>
> And I can't find the app /admin to logout once I am in google app engine
> application.
>
> I hope the example is good...
>
> El miércoles, 7 de enero de 2015 20:20:25 UTC+1, Massimo Di Pierro
> escribió:
>>
>> you try go to the admin app /admin and press the [logout] button?
>>
>> On Wednesday, 7 January 2015 11:34:19 UTC-6, Jacinto Parga wrote:
>>>
>>> Well, but I log out the application. Then I clean the browser history
>>> and just put in the browser
>>> * https://myapp.appspot.com/appadmin
>>> <https://myapp.appspot.com/appadmin>I am required to sign with google
>>> account.*
>>>
>>> I do so, and I can access the appadmin complete fucntionality, but I had
>>> not logged in the application at all, neither as an user with admin
>>> privileges nor a simple user. And there is no way to log out as I have not
>>> logged in the application. If I log out my google account I can continue
>>> using the appadmin interface. Even if I log in with another different
>>> google account and access several minutes later to the appadmin.
>>>
>>> If I use the https://myapp.appspot.com/appadmin/manage/auth then
>>> everything works fine because I have to log in as an user with admin
>>> privileges.
>>>
>>> It is very useful for me to be able to access to appadmin in the
>>> application deployed in google app engine, but how can I force it to log in
>>> as an user with admin privileges?
>>>
>>> El miércoles, 7 de enero de 2015 15:47:20 UTC+1, Massimo Di Pierro
>>> escribió:
>>>>
>>>> I partially agree. Problem is you signed out of google but you did not
>>>> sign out of admin. appadmin authorizes you if you are logged into admin.
>>>> The fact you logout from google does not automatically sign you out from
>>>> admin.
>>>>
>>>> Can you reproduce the problem if you sign our from admin?
>>>>
>>>> On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> I have deployed my aplication in GAE and /appadmin/manage/auth works
>>>>> fine, asking a login to access.
>>>>>
>>>>> But, if I try to go to: https://myapp.appspot.com/appadmin
>>>>>
>>>>> Then the browser asks me: Sign in with your google account
>>>>> <https://www.google.com/accounts/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://clubatletismosada.appspot.com/appadmin<mpl=gm&shdf=Ch8LEgZhaG5hbWUaE0NsdWIgQXRsZXRpc21vIFNhZGEMEgJhaCIU4rpxyPjOtFDC1cxqbSHxn4qazIsoATIUrdvnPgTHKBlIIF_ylVxiINsy4sI>
>>>>> .
>>>>>
>>>>> Ok, I sing wiht my google account (the owner of the application) and I
>>>>> can access to the whole database appadmin without loggin in as
>>>>> 'administrator' like in /appadmin/manage/auth
>>>>>
>>>>> So If the browser keeps the session anyone can access to my app
>>>>> database from this browser. I have to remove the cookie of the session.
>>>>>
>>>>> I think it is a lack of security.
>>>>>
>>>>> So I would like to limit the access to
>>>>> https://myapp.appspot.com/appadmin in the same way that
>>>>> /appadmin/manage/auth
>>>>>
>>>>> Thanks
>>>>>
>>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
