I am writing a small app that uses the GAE. I have parts of my app that are for administrative use only. I have two options using login: admin
option in the app.yaml or google.appengine.api.users.is_current_user_admin()
in python code. The basic authentication is sufficient for my case.
Which solution is better?
The advantage of using app.yaml is that the python code is a bit cleaner. Plus it may be the case that app.yaml may be more efficient, since it can be handled in the server. (In worst case it is equal in terms of performance.) The only drawback is that I do not display a custom page, but I don't care to much for that.
I am unsure if my assertions are correct.
I would say your assertions are correct. Let's say you have the following in your app.yaml:
- url: /admin/.*
script: admin.py
login: admin
If you want everything in admin.py
to be restricted to administrators, the configuration above ought to be more performant: you can fail unauthorized requests without ever spinning up admin.py
.
Checking users.is_current_user_admin()
is useful when you want to define more granular logic and behavior. Perhaps you have a handler that should be available whether the user is an admin, a non-admin, or not logged in, you just need to check their current state so you can return the appropriate HTML.
If you have handlers which are only accessible to admins, then app.yaml certainly seems like the easiest way to secure the pages those handlers expose.
However, if you have some handlers which serve both admin and non-admin views (e.g., your main.py), then you'll have to use something more fine-grained than app.yaml (e.g., google.appengine.api.users.is_current_user_admin()
).
I'd expect performance to be roughly equivalent once your application is running (a negligible fraction of the time it takes to load your page).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With