What I do is require Google authentication and then check the user's email address and domain against a whitelist. I had some trouble at first because GMail addresses ignore internal periods, so for instance ad...@gmail.com and ada...@gmail.com are the same address. In fact they are also the same as ad...@googlemail.com, but I haven't worried about that case yet. I wrapped this into a class that all my request handlers descend from:
class MyPage(webapp2.RequestHandler): def validate_user(self, page_template): template = JINJA_ENVIRONMENT.get_template('under_construction.html') if users.get_current_user(): url = users.create_logout_url(self.request.uri) url_linktext = 'Logout' email = users.get_current_user().email() # pylint: disable=unused-variable address, domain = email.split("@") canonical_address = address.replace('.', '') canonical_email = canonical_address + '@' + domain if (domain in WHITELISTED_DOMAINS or canonical_email in WHITELISTED_ADDRESSES): template = JINJA_ENVIRONMENT.get_template(page_template) else: logging.info('Login disallowed for: %s', email) else: url = users.create_login_url(self.request.uri) url_linktext = 'Login' template_values = { 'url': url, 'url_linktext': url_linktext, } return template, template_values Each concrete request handler begins something like this: def get(self): template, template_values = self.validate_user(PAGE_TEMPLATE) Suggestions for improvement are welcome! -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/d/optout.