[web2py] Re: /appadmin/manage/auth GAE access

2015-01-07 Thread Massimo Di Pierro 
I partially agree. Problem is you signed out of google but you did not sign 
out of admin. appadmin authorizes you if you are logged into admin. The 
fact you logout from google does not automatically sign you out from admin.

Can you reproduce the problem if you sign our from admin?

On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote:
>
> Hi
>
> I have deployed my aplication in GAE and /appadmin/manage/auth works 
> fine, asking a login to access.
>
> But, if I try to go to: https://myapp.appspot.com/appadmin
>
> Then the browser asks me: Sign in with your google account 
> 
> .
>
> Ok, I sing wiht my google account (the owner of the application) and I can 
> access to the whole database appadmin without loggin in as 'administrator' 
> like in /appadmin/manage/auth
>
> So If the browser keeps the session anyone can access to my app database 
> from this browser. I have to remove the cookie of the session.
>
> I think it is a lack of security.
>
> So I would like to limit the access to https://myapp.appspot.com/appadmin 
> in the same way that /appadmin/manage/auth
>
> Thanks
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: /appadmin/manage/auth GAE access

2015-01-07 Thread Jacinto Parga 
Well, but I log out the application. Then I clean the browser history and 
just put in the browser
* https://myapp.appspot.com/appadminI am required to sign with google 
account.*

I do so, and I can access the appadmin complete fucntionality, but I had 
not logged in the application at all, neither  as an user with admin 
privileges nor a simple user. And there is no way to log out as I have not 
logged in the application. If I log out my google account I can continue 
using the appadmin interface. Even if I log in with another different 
google account and access several minutes later to the appadmin.

If I use the https://myapp.appspot.com/appadmin/manage/auth then everything 
works fine because I have to log in as an user with admin privileges.

It is very useful for me to be able to access to appadmin in the 
application deployed in google app engine, but how can I force it to log in 
as an user with admin privileges?

El miércoles, 7 de enero de 2015 15:47:20 UTC+1, Massimo Di Pierro escribió:
>
> I partially agree. Problem is you signed out of google but you did not 
> sign out of admin. appadmin authorizes you if you are logged into admin. 
> The fact you logout from google does not automatically sign you out from 
> admin.
>
> Can you reproduce the problem if you sign our from admin?
>
> On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote:
>>
>> Hi
>>
>> I have deployed my aplication in GAE and /appadmin/manage/auth works 
>> fine, asking a login to access.
>>
>> But, if I try to go to: https://myapp.appspot.com/appadmin
>>
>> Then the browser asks me: Sign in with your google account 
>> 
>> .
>>
>> Ok, I sing wiht my google account (the owner of the application) and I 
>> can access to the whole database appadmin without loggin in as 
>> 'administrator' like in /appadmin/manage/auth
>>
>> So If the browser keeps the session anyone can access to my app database 
>> from this browser. I have to remove the cookie of the session.
>>
>> I think it is a lack of security.
>>
>> So I would like to limit the access to https://myapp.appspot.com/appadmin 
>> in the same way that /appadmin/manage/auth
>>
>> Thanks
>>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: /appadmin/manage/auth GAE access

2015-01-07 Thread Massimo Di Pierro 
 you try go to the admin app /admin and press the [logout] button?

On Wednesday, 7 January 2015 11:34:19 UTC-6, Jacinto Parga wrote:
>
> Well, but I log out the application. Then I clean the browser history and 
> just put in the browser
> * https://myapp.appspot.com/appadmin I 
> am required to sign with google account.*
>
> I do so, and I can access the appadmin complete fucntionality, but I had 
> not logged in the application at all, neither  as an user with admin 
> privileges nor a simple user. And there is no way to log out as I have not 
> logged in the application. If I log out my google account I can continue 
> using the appadmin interface. Even if I log in with another different 
> google account and access several minutes later to the appadmin.
>
> If I use the https://myapp.appspot.com/appadmin/manage/auth then 
> everything works fine because I have to log in as an user with admin 
> privileges.
>
> It is very useful for me to be able to access to appadmin in the 
> application deployed in google app engine, but how can I force it to log in 
> as an user with admin privileges?
>
> El miércoles, 7 de enero de 2015 15:47:20 UTC+1, Massimo Di Pierro 
> escribió:
>>
>> I partially agree. Problem is you signed out of google but you did not 
>> sign out of admin. appadmin authorizes you if you are logged into admin. 
>> The fact you logout from google does not automatically sign you out from 
>> admin.
>>
>> Can you reproduce the problem if you sign our from admin?
>>
>> On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote:
>>>
>>> Hi
>>>
>>> I have deployed my aplication in GAE and /appadmin/manage/auth works 
>>> fine, asking a login to access.
>>>
>>> But, if I try to go to: https://myapp.appspot.com/appadmin
>>>
>>> Then the browser asks me: Sign in with your google account 
>>> 
>>> .
>>>
>>> Ok, I sing wiht my google account (the owner of the application) and I 
>>> can access to the whole database appadmin without loggin in as 
>>> 'administrator' like in /appadmin/manage/auth
>>>
>>> So If the browser keeps the session anyone can access to my app database 
>>> from this browser. I have to remove the cookie of the session.
>>>
>>> I think it is a lack of security.
>>>
>>> So I would like to limit the access to 
>>> https://myapp.appspot.com/appadmin in the same way that 
>>> /appadmin/manage/auth
>>>
>>> Thanks
>>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: /appadmin/manage/auth GAE access

2015-01-07 Thread Jacinto Parga 

I have no [logout] button when I am in https://myapp.appspot.com/appadmin 
because I have not logged in. I can access to this page through google 
count access

I have tried to deploy the application through a terminal with the local 
server admin app logged out, but it had no effect.

I'll make a complete example in a few minutes...


El miércoles, 7 de enero de 2015 20:20:25 UTC+1, Massimo Di Pierro escribió:
>
>  you try go to the admin app /admin and press the [logout] button?
>
> On Wednesday, 7 January 2015 11:34:19 UTC-6, Jacinto Parga wrote:
>>
>> Well, but I log out the application. Then I clean the browser history and 
>> just put in the browser
>> * https://myapp.appspot.com/appadmin 
>> I am required to sign with google 
>> account.*
>>
>> I do so, and I can access the appadmin complete fucntionality, but I had 
>> not logged in the application at all, neither  as an user with admin 
>> privileges nor a simple user. And there is no way to log out as I have not 
>> logged in the application. If I log out my google account I can continue 
>> using the appadmin interface. Even if I log in with another different 
>> google account and access several minutes later to the appadmin.
>>
>> If I use the https://myapp.appspot.com/appadmin/manage/auth then 
>> everything works fine because I have to log in as an user with admin 
>> privileges.
>>
>> It is very useful for me to be able to access to appadmin in the 
>> application deployed in google app engine, but how can I force it to log in 
>> as an user with admin privileges?
>>
>> El miércoles, 7 de enero de 2015 15:47:20 UTC+1, Massimo Di Pierro 
>> escribió:
>>>
>>> I partially agree. Problem is you signed out of google but you did not 
>>> sign out of admin. appadmin authorizes you if you are logged into admin. 
>>> The fact you logout from google does not automatically sign you out from 
>>> admin.
>>>
>>> Can you reproduce the problem if you sign our from admin?
>>>
>>> On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote:

 Hi

 I have deployed my aplication in GAE and /appadmin/manage/auth works 
 fine, asking a login to access.

 But, if I try to go to: https://myapp.appspot.com/appadmin

 Then the browser asks me: Sign in with your google account 
 
 .

 Ok, I sing wiht my google account (the owner of the application) and I 
 can access to the whole database appadmin without loggin in as 
 'administrator' like in /appadmin/manage/auth

 So If the browser keeps the session anyone can access to my app 
 database from this browser. I have to remove the cookie of the session.

 I think it is a lack of security.

 So I would like to limit the access to 
 https://myapp.appspot.com/appadmin in the same way that 
 /appadmin/manage/auth

 Thanks

>>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: /appadmin/manage/auth GAE access

2015-01-07 Thread Jacinto Parga 
First of all thanks so much for your attention Massimo.

So I have done a complete example of what I mean.

I have deployed an application in GAE: http://web2gae.appspot.com

It has a user with administration privileges called: 
 superad...@example.com  width password: superadmin

I have created a google email that can log in the google appengine console 
(width view privileges): web2gae2...@gmail.com   width password: superadmin

So the thing is, I write in a browser (width no session in gmail or gae 
initiated): https://web2gae.appspot.com/appadmin

and I can access to the database appadmin without logging in the 
application, just accessing width the google acount web2gae2...@gmail.com 

The thing is that the session may remain in the browser even if I log out 
the google account. It depends on the browser settings. Widthout control of 
the apps permissions.

And I can't find the app /admin to logout once I am in google app engine 
application.

I hope the example is good...

El miércoles, 7 de enero de 2015 20:20:25 UTC+1, Massimo Di Pierro escribió:
>
>  you try go to the admin app /admin and press the [logout] button?
>
> On Wednesday, 7 January 2015 11:34:19 UTC-6, Jacinto Parga wrote:
>>
>> Well, but I log out the application. Then I clean the browser history and 
>> just put in the browser
>> * https://myapp.appspot.com/appadmin 
>> I am required to sign with google 
>> account.*
>>
>> I do so, and I can access the appadmin complete fucntionality, but I had 
>> not logged in the application at all, neither  as an user with admin 
>> privileges nor a simple user. And there is no way to log out as I have not 
>> logged in the application. If I log out my google account I can continue 
>> using the appadmin interface. Even if I log in with another different 
>> google account and access several minutes later to the appadmin.
>>
>> If I use the https://myapp.appspot.com/appadmin/manage/auth then 
>> everything works fine because I have to log in as an user with admin 
>> privileges.
>>
>> It is very useful for me to be able to access to appadmin in the 
>> application deployed in google app engine, but how can I force it to log in 
>> as an user with admin privileges?
>>
>> El miércoles, 7 de enero de 2015 15:47:20 UTC+1, Massimo Di Pierro 
>> escribió:
>>>
>>> I partially agree. Problem is you signed out of google but you did not 
>>> sign out of admin. appadmin authorizes you if you are logged into admin. 
>>> The fact you logout from google does not automatically sign you out from 
>>> admin.
>>>
>>> Can you reproduce the problem if you sign our from admin?
>>>
>>> On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote:

 Hi

 I have deployed my aplication in GAE and /appadmin/manage/auth works 
 fine, asking a login to access.

 But, if I try to go to: https://myapp.appspot.com/appadmin

 Then the browser asks me: Sign in with your google account 
 
 .

 Ok, I sing wiht my google account (the owner of the application) and I 
 can access to the whole database appadmin without loggin in as 
 'administrator' like in /appadmin/manage/auth

 So If the browser keeps the session anyone can access to my app 
 database from this browser. I have to remove the cookie of the session.

 I think it is a lack of security.

 So I would like to limit the access to 
 https://myapp.appspot.com/appadmin in the same way that 
 /appadmin/manage/auth

 Thanks

>>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: /appadmin/manage/auth GAE access

2015-01-08 Thread Massimo Di Pierro 
Checking the code again. appadmin.py calls check_credentials to decide if 
you have access. On GAE it does (in gluon/fileutils.py/check_credentials):

from google.appengine.api import users
if users.is_current_user_admin():
return True
elif gae_login:
login_html = 'Sign in with your google 
account.' \
% users.create_login_url(request.env.path_info)
raise HTTP(200, '%s' % login_html)
else:
return False

users is the a GAE API. So if you are not logged in you asks you to sign 
in. If you are signed and the user is an administrator, it returns True. 
Now Google manages you access, not web2py. This is Google App engine works. 

Appadmin has noting to do with the session of your application. It relies 
exclusively on check_credentials with relies on Google login. 

You as administrator have to know this and have to logout from Google in 
order to disable access to appadmin.

I am not understanding the issue?



On Wednesday, 7 January 2015 17:10:48 UTC-6, Jacinto Parga wrote:
>
> First of all thanks so much for your attention Massimo.
>
> So I have done a complete example of what I mean.
>
> I have deployed an application in GAE: http://web2gae.appspot.com
>
> It has a user with administration privileges called:  
> superad...@example.com  width password: superadmin
>
> I have created a google email that can log in the google appengine console 
> (width view privileges): web2gae2...@gmail.com   width password: 
> superadmin
>
> So the thing is, I write in a browser (width no session in gmail or gae 
> initiated): https://web2gae.appspot.com/appadmin
>
> and I can access to the database appadmin without logging in the 
> application, just accessing width the google acount web2gae2...@gmail.com 
>
> The thing is that the session may remain in the browser even if I log out 
> the google account. It depends on the browser settings. Widthout control of 
> the apps permissions.
>
> And I can't find the app /admin to logout once I am in google app engine 
> application.
>
> I hope the example is good...
>
> El miércoles, 7 de enero de 2015 20:20:25 UTC+1, Massimo Di Pierro 
> escribió:
>>
>>  you try go to the admin app /admin and press the [logout] button?
>>
>> On Wednesday, 7 January 2015 11:34:19 UTC-6, Jacinto Parga wrote:
>>>
>>> Well, but I log out the application. Then I clean the browser history 
>>> and just put in the browser
>>> * https://myapp.appspot.com/appadmin 
>>> I am required to sign with google 
>>> account.*
>>>
>>> I do so, and I can access the appadmin complete fucntionality, but I had 
>>> not logged in the application at all, neither  as an user with admin 
>>> privileges nor a simple user. And there is no way to log out as I have not 
>>> logged in the application. If I log out my google account I can continue 
>>> using the appadmin interface. Even if I log in with another different 
>>> google account and access several minutes later to the appadmin.
>>>
>>> If I use the https://myapp.appspot.com/appadmin/manage/auth then 
>>> everything works fine because I have to log in as an user with admin 
>>> privileges.
>>>
>>> It is very useful for me to be able to access to appadmin in the 
>>> application deployed in google app engine, but how can I force it to log in 
>>> as an user with admin privileges?
>>>
>>> El miércoles, 7 de enero de 2015 15:47:20 UTC+1, Massimo Di Pierro 
>>> escribió:

 I partially agree. Problem is you signed out of google but you did not 
 sign out of admin. appadmin authorizes you if you are logged into admin. 
 The fact you logout from google does not automatically sign you out from 
 admin.

 Can you reproduce the problem if you sign our from admin?

 On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote:
>
> Hi
>
> I have deployed my aplication in GAE and /appadmin/manage/auth works 
> fine, asking a login to access.
>
> But, if I try to go to: https://myapp.appspot.com/appadmin
>
> Then the browser asks me: Sign in with your google account 
> 
> .
>
> Ok, I sing wiht my google account (the owner of the application) and I 
> can access to the whole database appadmin without loggin in as 
> 'administrator' like in /appadmin/manage/auth
>
> So If the browser keeps the session anyone can access to my app 
> database from this browser. I have to remove the cookie of the session.
>
> I think it is a lack of security.
>
> So I would like to limit the access to 
> https://myapp.appspot.com/appadmin in the same

[web2py] Re: /appadmin/manage/auth GAE access

2015-01-09 Thread Jacinto Parga 
Yes!!

It is. The only issue is that the browser can store the google session so I 
have to be carefull width this, because you can logout your google account 
without finishing the appadmin session.

Finally thanks, Massimo.

El viernes, 9 de enero de 2015, 6:05:52 (UTC+1), Massimo Di Pierro escribió:
>
> Checking the code again. appadmin.py calls check_credentials to decide if 
> you have access. On GAE it does (in gluon/fileutils.py/check_credentials):
>
> from google.appengine.api import users
> if users.is_current_user_admin():
> return True
> elif gae_login:
> login_html = 'Sign in with your google 
> account.' \
> % users.create_login_url(request.env.path_info)
> raise HTTP(200, '%s' % login_html)
> else:
> return False
>
> users is the a GAE API. So if you are not logged in you asks you to sign 
> in. If you are signed and the user is an administrator, it returns True. 
> Now Google manages you access, not web2py. This is Google App engine works. 
>
> Appadmin has noting to do with the session of your application. It relies 
> exclusively on check_credentials with relies on Google login. 
>
> You as administrator have to know this and have to logout from Google in 
> order to disable access to appadmin.
>
> I am not understanding the issue?
>
>
>
> On Wednesday, 7 January 2015 17:10:48 UTC-6, Jacinto Parga wrote:
>>
>> First of all thanks so much for your attention Massimo.
>>
>> So I have done a complete example of what I mean.
>>
>> I have deployed an application in GAE: http://web2gae.appspot.com
>>
>> It has a user with administration privileges called:  
>> super...@example.com   width password: superadmin
>>
>> I have created a google email that can log in the google appengine 
>> console (width view privileges): web2g...@gmail.com
>> width password: superadmin
>>
>> So the thing is, I write in a browser (width no session in gmail or gae 
>> initiated): https://web2gae.appspot.com/appadmin
>>
>> and I can access to the database appadmin without logging in the 
>> application, just accessing width the google acount web2g...@gmail.com 
>>  
>>
>> The thing is that the session may remain in the browser even if I log out 
>> the google account. It depends on the browser settings. Widthout control of 
>> the apps permissions.
>>
>> And I can't find the app /admin to logout once I am in google app engine 
>> application.
>>
>> I hope the example is good...
>>
>> El miércoles, 7 de enero de 2015 20:20:25 UTC+1, Massimo Di Pierro 
>> escribió:
>>>
>>>  you try go to the admin app /admin and press the [logout] button?
>>>
>>> On Wednesday, 7 January 2015 11:34:19 UTC-6, Jacinto Parga wrote:

 Well, but I log out the application. Then I clean the browser history 
 and just put in the browser
 * https://myapp.appspot.com/appadmin 
 I am required to sign with google 
 account.*

 I do so, and I can access the appadmin complete fucntionality, but I 
 had not logged in the application at all, neither  as an user with admin 
 privileges nor a simple user. And there is no way to log out as I have not 
 logged in the application. If I log out my google account I can continue 
 using the appadmin interface. Even if I log in with another different 
 google account and access several minutes later to the appadmin.

 If I use the https://myapp.appspot.com/appadmin/manage/auth then 
 everything works fine because I have to log in as an user with admin 
 privileges.

 It is very useful for me to be able to access to appadmin in the 
 application deployed in google app engine, but how can I force it to log 
 in 
 as an user with admin privileges?

 El miércoles, 7 de enero de 2015 15:47:20 UTC+1, Massimo Di Pierro 
 escribió:
>
> I partially agree. Problem is you signed out of google but you did not 
> sign out of admin. appadmin authorizes you if you are logged into admin. 
> The fact you logout from google does not automatically sign you out from 
> admin.
>
> Can you reproduce the problem if you sign our from admin?
>
> On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote:
>>
>> Hi
>>
>> I have deployed my aplication in GAE and /appadmin/manage/auth works 
>> fine, asking a login to access.
>>
>> But, if I try to go to: https://myapp.appspot.com/appadmin
>>
>> Then the browser asks me: Sign in with your google account 
>> 
>> .
>>
>> Ok, I sing wiht my google account (the owner of the applic

[web2py] Re: /appadmin/manage/auth GAE access

2015-01-09 Thread Jacinto Parga 
Yes, it is very nice and useful.
But I was worried because I thought than anyone could access to appadmin if 
I forgot to clear the session in the browser when access with google 
account.
Thanks Samuel 

El viernes, 9 de enero de 2015, 16:46:27 (UTC+1), samuel bonill escribió:
>
> You can use Admin-Plus ( https://github.com/pyner/admin_plus )

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.