Yes!! It is. The only issue is that the browser can store the google session so I have to be carefull width this, because you can logout your google account without finishing the appadmin session.
Finally thanks, Massimo. El viernes, 9 de enero de 2015, 6:05:52 (UTC+1), Massimo Di Pierro escribió: > > Checking the code again. appadmin.py calls check_credentials to decide if > you have access. On GAE it does (in gluon/fileutils.py/check_credentials): > > from google.appengine.api import users > if users.is_current_user_admin(): > return True > elif gae_login: > login_html = '<a href="%s">Sign in with your google > account</a>.' \ > % users.create_login_url(request.env.path_info) > raise HTTP(200, '<html><body>%s</body></html>' % login_html) > else: > return False > > users is the a GAE API. So if you are not logged in you asks you to sign > in. If you are signed and the user is an administrator, it returns True. > Now Google manages you access, not web2py. This is Google App engine works. > > Appadmin has noting to do with the session of your application. It relies > exclusively on check_credentials with relies on Google login. > > You as administrator have to know this and have to logout from Google in > order to disable access to appadmin. > > I am not understanding the issue? > > > > On Wednesday, 7 January 2015 17:10:48 UTC-6, Jacinto Parga wrote: >> >> First of all thanks so much for your attention Massimo. >> >> So I have done a complete example of what I mean. >> >> I have deployed an application in GAE: http://web2gae.appspot.com >> >> It has a user with administration privileges called: >> super...@example.com <javascript:> width password: superadmin >> >> I have created a google email that can log in the google appengine >> console (width view privileges): web2g...@gmail.com <javascript:> >> width password: superadmin >> >> So the thing is, I write in a browser (width no session in gmail or gae >> initiated): https://web2gae.appspot.com/appadmin >> >> and I can access to the database appadmin without logging in the >> application, just accessing width the google acount web2g...@gmail.com >> <javascript:> >> >> The thing is that the session may remain in the browser even if I log out >> the google account. It depends on the browser settings. Widthout control of >> the apps permissions. >> >> And I can't find the app /admin to logout once I am in google app engine >> application. >> >> I hope the example is good... >> >> El miércoles, 7 de enero de 2015 20:20:25 UTC+1, Massimo Di Pierro >> escribió: >>> >>> you try go to the admin app /admin and press the [logout] button? >>> >>> On Wednesday, 7 January 2015 11:34:19 UTC-6, Jacinto Parga wrote: >>>> >>>> Well, but I log out the application. Then I clean the browser history >>>> and just put in the browser >>>> * https://myapp.appspot.com/appadmin >>>> <https://myapp.appspot.com/appadmin>I am required to sign with google >>>> account.* >>>> >>>> I do so, and I can access the appadmin complete fucntionality, but I >>>> had not logged in the application at all, neither as an user with admin >>>> privileges nor a simple user. And there is no way to log out as I have not >>>> logged in the application. If I log out my google account I can continue >>>> using the appadmin interface. Even if I log in with another different >>>> google account and access several minutes later to the appadmin. >>>> >>>> If I use the https://myapp.appspot.com/appadmin/manage/auth then >>>> everything works fine because I have to log in as an user with admin >>>> privileges. >>>> >>>> It is very useful for me to be able to access to appadmin in the >>>> application deployed in google app engine, but how can I force it to log >>>> in >>>> as an user with admin privileges? >>>> >>>> El miércoles, 7 de enero de 2015 15:47:20 UTC+1, Massimo Di Pierro >>>> escribió: >>>>> >>>>> I partially agree. Problem is you signed out of google but you did not >>>>> sign out of admin. appadmin authorizes you if you are logged into admin. >>>>> The fact you logout from google does not automatically sign you out from >>>>> admin. >>>>> >>>>> Can you reproduce the problem if you sign our from admin? >>>>> >>>>> On Wednesday, 7 January 2015 06:08:13 UTC-6, Jacinto Parga wrote: >>>>>> >>>>>> Hi >>>>>> >>>>>> I have deployed my aplication in GAE and /appadmin/manage/auth works >>>>>> fine, asking a login to access. >>>>>> >>>>>> But, if I try to go to: https://myapp.appspot.com/appadmin >>>>>> >>>>>> Then the browser asks me: Sign in with your google account >>>>>> <https://www.google.com/accounts/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://clubatletismosada.appspot.com/appadmin<mpl=gm&shdf=Ch8LEgZhaG5hbWUaE0NsdWIgQXRsZXRpc21vIFNhZGEMEgJhaCIU4rpxyPjOtFDC1cxqbSHxn4qazIsoATIUrdvnPgTHKBlIIF_ylVxiINsy4sI> >>>>>> . >>>>>> >>>>>> Ok, I sing wiht my google account (the owner of the application) and >>>>>> I can access to the whole database appadmin without loggin in as >>>>>> 'administrator' like in /appadmin/manage/auth >>>>>> >>>>>> So If the browser keeps the session anyone can access to my app >>>>>> database from this browser. I have to remove the cookie of the session. >>>>>> >>>>>> I think it is a lack of security. >>>>>> >>>>>> So I would like to limit the access to >>>>>> https://myapp.appspot.com/appadmin in the same way that >>>>>> /appadmin/manage/auth >>>>>> >>>>>> Thanks >>>>>> >>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
