I want to secure my Task Queue URLs against malicious access.
In the views that the Task Queue requests I've got:
if not users.is_current_user_admin():
return HttpResponse(status=403)
But my Task Queues are receiving 403 errors! I was under the impression from this GAE documentation that the Task Queue user was gauranteed to be an admin. What gives?
NOTE: I'm using DjangoNonRel so I can't specify the admin only url access in my app.yaml
, I have to do it programmatically in the views.
Tasks can bypass login: admin
restrictions, however users.is_current_user_admin()
will still return false, as there is technically no current user.
Using Django-nonrel shouldn't stop you from protecting your tasks with app.yaml. Just add a protected handler above your Django catch-all:
handlers:
- url: /tasks/.+
script: main.py
login: admin
- url: .*
script: main.py
Any URLs that start with /tasks/ will be accessible to the task queue and inaccessible to non-admin visitors, without changing how anything routes.
Your handlers can look for a task queue HTTP header, such as X-AppEngine-QueueName.
From official GAE docs :
Requests from the Task Queue service contain the following HTTP headers:
X-AppEngine-QueueName
X-AppEngine-TaskName
X-AppEngine-TaskRetryCount
X-AppEngine-TaskExecutionCount
X-AppEngine-TaskETAThese headers are set internally by Google App Engine. If your request handler finds any of these headers, it can trust that the request is a Task Queue request. If any of the above headers are present in an external user request to your app, they are stripped.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With