Marketplace app + Provisioning API: check if user is admin

Question

I'm trying to check if a user is admin of their Google Apps domain, in an app installed from the Google Apps marketplace.

I added this to manifest.xml:

<Scope id="Provisioning API">
  <Url>https://apps-apis.google.com/a/feeds/user/#readonly</Url>
  <Reason>This application can list domain users to give them permissions.</Reason>
</Scope>

Then I set a test handler to get it working:

from google.appengine.ext import webapp
from google.appengine.ext.webapp import util

import gdata.alt.appengine
import gdata.apps.service
import gdata.auth

# App id, key and secret from the Google Apps Marketplace.
APPLICATION_ID = 'XXX'
CONSUMER_KEY = 'XXX'
CONSUMER_SECRET = 'XXX'

class SetupHandler(webapp.RequestHandler):
    def get(self, *args):
        # The domain where this app is installed.
        domain = 'my_customer_domain.com'
        # A username to check.
        username = 'webmaster'

        sig_method = gdata.auth.OAuthSignatureMethod.HMAC_SHA1
        service = gdata.apps.service.AppsService(source='tipfy-com',
                                                 domain=domain)
        service.SetOAuthInputParameters(sig_method, CONSUMER_KEY,
                                        consumer_secret=CONSUMER_SECRET,
                                        two_legged_oauth=True,
                                        requestor_id=APPLICATION_ID)
        service.ssl = True
        service.debug = True
        gdata.alt.appengine.run_on_appengine(service)

        lookup_user = service.RetrieveUser(username)
        if lookup_user.login.admin == 'true':
            res = username + ' is an admin.'
        else:
            res = username + ' is not an admin.'

        self.response.out.write(res)

app = webapp.WSGIApplication([
    ('/.*', SetupHandler),
], debug=True)

def main():
    util.run_wsgi_app(app)

if __name__ == '__main__':
    main()

But I get a 401 response ("Unknown authorization header"). I don't know what I'm doing incorrectly or how to debug it further.

• Is the manifest entry correct?
• Splitting user.email() is ok to get the user's username and domain? (I debugged it and in my case it was: I got 'webmaster' and 'example.com', which was the user and Google Apps domain where the app was installed).

What am I missing?

Edit: For some reason, the admin panel didn't ask permission to grant access to the provided scopes. After I granted it, the code above worked. So take it as a working example!

Answer 1

You don't have to re-add your app for the scopes work, just make sure in your GoogleApps admin dashboard, on the application settings, you "Grant access" and the Data Access is "Granted". Otherwise just grant that access.

Splitting user.email() works like a charm for me, because user.nickname() in localhost testing contains a full email, not like production (where it contains the username).

Make sure the user requesting is an admin.